-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Jun 2026 21:26:37 +0200
Source: sogo
Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym
Architecture: i386
Version: 5.12.1-3+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) <buildd_amd64-x86-conova-02@buildd.debian.org>
Changed-By: Peter Wienemann <wiene@debian.org>
Description:
 sogo       - Scalable groupware server
 sogo-activesync - Scalable groupware server - ActiveSync module
Closes: 1130878 1131605 1131606
Changes:
 sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium
 .
   * Non-maintainer upload.
 .
   [ Peter Wienemann ]
   * Add patch to fix CVE-2026-46445 and CVE-2026-46446:
     - CVE-2026-46445: SQL injection vulnerability when at least one user
       source is a PostgreSQL database
     - CVE-2026-46446: SQL injection vulnerability when at least one user
       source is an SQL database (MariaDB or PostgreSQL) and passwords are
       stored in plain text
   * Add patch to fix CVE-2025-71276: (Closes: #1131605)
     XSS with events, tasks and contacts categories
   * Add patch to fix CVE-2026-3054: (Closes: #1130878)
     XSS via manipulation of the argument hint
   * Add patch to fix CVE-2026-33550: (Closes: #1131606)
     TOTP vulnerabilities:
     - If a user disables/enables it, it is not renewed.
     - Length is too short (12 rather than recommended 20).
   * Add patch to fix CVE-2026-8496:
     A maliciously crafted ICS calendar invitation file allows arbitrary
     JavaScript execution within the authenticated SOGo webmail session.
   * Add patch to fix a regression introduced by fix for CVE-2026-8496
   * Add patch to fix CVE-2026-8851:
     SQL injection vulnerability in the access control list
     management functionality that allows authenticated users to extract
     arbitrary data from the database by injecting SQL subqueries through
     the uid parameter of the addUserInAcls endpoint.
   * Add patch to fix folder path in fix for CVE-2026-8851
   * Add patch to fix openid validation:
     Verify that the returned email domain is authorized and that the
     user exists in the local source.
   * Add two patches to fix XSS in message subject rendering
   * Add three patches to fix message rendering
 .
   [ Jordi Mallach ]
   * Add upstream patch to fix impersonation issues when importing events.
Checksums-Sha1:
 7678bdd44115ae4d0877ab94f20cb65bfeefb2ee 103180 sogo-activesync-dbgsym_5.12.1-3+deb13u2_i386.deb
 738d70735d5e5aa65d0cdaca172f0c9cb431e366 218196 sogo-activesync_5.12.1-3+deb13u2_i386.deb
 daedffdfa1b84f2d557fc5f860d0a3279b79323f 1181172 sogo-dbgsym_5.12.1-3+deb13u2_i386.deb
 c99c5ef00bb6a2b563b7a27ff0b6d535208dc813 13699 sogo_5.12.1-3+deb13u2_i386-buildd.buildinfo
 414e426a0ee26b7701bfcab1aa5f970be2e1cafb 1178344 sogo_5.12.1-3+deb13u2_i386.deb
Checksums-Sha256:
 ae84ab9bd2599ca10d9d646a5b479d5b7753312b7633770f8730418365e13929 103180 sogo-activesync-dbgsym_5.12.1-3+deb13u2_i386.deb
 4f46b89ebb3b2d0a3aa921021c432163911d2b5e87e3d71f56afe85c37b0a019 218196 sogo-activesync_5.12.1-3+deb13u2_i386.deb
 bbefb52aeee93fe659ca171c36fb34972db025be92600f271932e3756a4afcdf 1181172 sogo-dbgsym_5.12.1-3+deb13u2_i386.deb
 0d33901a984dabda74d328456cdd5f03a3cfbb11e2c4dfa8b743afc0299e8519 13699 sogo_5.12.1-3+deb13u2_i386-buildd.buildinfo
 743ae34a6c19fe3f4ed8bfe7ed5ab58fe673bcb390f5476a4a2e4872d5c77e71 1178344 sogo_5.12.1-3+deb13u2_i386.deb
Files:
 49c00d686539ae742b4167d2d5859823 103180 debug optional sogo-activesync-dbgsym_5.12.1-3+deb13u2_i386.deb
 afe1e9088de5897a59d7dc844937def2 218196 mail optional sogo-activesync_5.12.1-3+deb13u2_i386.deb
 9cd6dbcceab860598fab2ee1215cd1cd 1181172 debug optional sogo-dbgsym_5.12.1-3+deb13u2_i386.deb
 ae3a55576d0b242fe13729a846184e38 13699 mail optional sogo_5.12.1-3+deb13u2_i386-buildd.buildinfo
 03ee0deaf59fd9899a98888d4f918dec 1178344 mail optional sogo_5.12.1-3+deb13u2_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+i/sCsF3puL4e7qIGNGWmfrqILEFAmo8O3UACgkQGNGWmfrq
ILF3yxAAqxKSBCllGFGhlKPTBcXeJWTFP4l8H+iPtgX7BMRmVX+/v1M8Yk+qyLxx
Cb3W0abEHiDYEM08B1fn6Ecj1WerMIZpI4IR5EFga28v31peeTjzTF0B3JWXzsHn
n69j3XVyQoB63C3LID6CCvFXnMpwb+XQQoEyq2qxU/ZGuxpWrSfTV4xpzGOjRsGP
6t/9LoTE2nY9Fh7pYPyFb77N4XMXsDYuj+0Q8kuBnw7GcgRvyjIhDUN4ZAwyZs3/
wIDErv5pk2q8ZWuIKrDI+XR5FDNlNnNq2oK9bnRSpn4EF8KaulVL6kGp+F/LoLl0
ZJxr7s+jilg/xsy4Isc811xe4CYgXXoylE5n2IjKP7WotgAALlRmgvigjP6H9XS0
RGeqvWRXIlQu3xn1bPYFnSICHWg8DaeKOMmX0mtAsqivQi3KVx09P3WnB3VlpkwY
s6IrgiFAs1+wVCpJDLoqSSjfuAuuhR+f9jEevjG1FNQtWSd7jLNMwh7kCOBD6lMM
lkbQVdGShPMbG0+vzTHmEhEhtdschXHpVSbTSqhrOTovzPRvfkY+JbapKkf/sfEa
CGPVDtAkRjcsrVrnHRZn/rbsQngShgGkvOFit0a7S2CYkC4xvipIhAN94Tx4NdjD
9Ut1NNra3Wclqg+enZhBi4QY9J/Ut9Hsen0kvZYOfek0hqZcisk=
=T7dT
-----END PGP SIGNATURE-----