-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Jun 2026 21:26:37 +0200
Source: sogo
Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym
Architecture: ppc64el
Version: 5.12.1-3+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: ppc64el Build Daemon (ppc64el-conova-02) <buildd_ppc64el-ppc64el-conova-02@buildd.debian.org>
Changed-By: Peter Wienemann <wiene@debian.org>
Description:
 sogo       - Scalable groupware server
 sogo-activesync - Scalable groupware server - ActiveSync module
Closes: 1130878 1131605 1131606
Changes:
 sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium
 .
   * Non-maintainer upload.
 .
   [ Peter Wienemann ]
   * Add patch to fix CVE-2026-46445 and CVE-2026-46446:
     - CVE-2026-46445: SQL injection vulnerability when at least one user
       source is a PostgreSQL database
     - CVE-2026-46446: SQL injection vulnerability when at least one user
       source is an SQL database (MariaDB or PostgreSQL) and passwords are
       stored in plain text
   * Add patch to fix CVE-2025-71276: (Closes: #1131605)
     XSS with events, tasks and contacts categories
   * Add patch to fix CVE-2026-3054: (Closes: #1130878)
     XSS via manipulation of the argument hint
   * Add patch to fix CVE-2026-33550: (Closes: #1131606)
     TOTP vulnerabilities:
     - If a user disables/enables it, it is not renewed.
     - Length is too short (12 rather than recommended 20).
   * Add patch to fix CVE-2026-8496:
     A maliciously crafted ICS calendar invitation file allows arbitrary
     JavaScript execution within the authenticated SOGo webmail session.
   * Add patch to fix a regression introduced by fix for CVE-2026-8496
   * Add patch to fix CVE-2026-8851:
     SQL injection vulnerability in the access control list
     management functionality that allows authenticated users to extract
     arbitrary data from the database by injecting SQL subqueries through
     the uid parameter of the addUserInAcls endpoint.
   * Add patch to fix folder path in fix for CVE-2026-8851
   * Add patch to fix openid validation:
     Verify that the returned email domain is authorized and that the
     user exists in the local source.
   * Add two patches to fix XSS in message subject rendering
   * Add three patches to fix message rendering
 .
   [ Jordi Mallach ]
   * Add upstream patch to fix impersonation issues when importing events.
Checksums-Sha1:
 3342b562b01d55e03ff308230c09584f912b7e77 102340 sogo-activesync-dbgsym_5.12.1-3+deb13u2_ppc64el.deb
 c501a5c87c95501dcf811fa344fc13c8a5c0624e 223080 sogo-activesync_5.12.1-3+deb13u2_ppc64el.deb
 2eeb77d33221f2aaee3266a4b33095929bd807bb 1192856 sogo-dbgsym_5.12.1-3+deb13u2_ppc64el.deb
 4b73b650904a294970b4a5536a0ad893275bfefd 13865 sogo_5.12.1-3+deb13u2_ppc64el-buildd.buildinfo
 b09972b92a454ff853eac9ed0e2d826ed661ffd8 1299892 sogo_5.12.1-3+deb13u2_ppc64el.deb
Checksums-Sha256:
 3b0ccfbdca9ca65ef588ae4d71c4d5373b54e8f348da12ffc6b70c2a6363ad46 102340 sogo-activesync-dbgsym_5.12.1-3+deb13u2_ppc64el.deb
 cbfb4f42fd5b53c3f8cad1199716e0c6e7f68f1a820419910905b53b417a2709 223080 sogo-activesync_5.12.1-3+deb13u2_ppc64el.deb
 975d4b42f4017797dafbf684df94fc4c4d03c6e880e4e1bd0c67d5336fd7c0ff 1192856 sogo-dbgsym_5.12.1-3+deb13u2_ppc64el.deb
 a992860ff5f592b721ebfd27a663a2c1d9e7ac3287c0054cd37fe1dc52ed1617 13865 sogo_5.12.1-3+deb13u2_ppc64el-buildd.buildinfo
 e465fb82c8812c9495afb92c9270d76836ae5f18aa5fbe6052ffa94ea20d9ce0 1299892 sogo_5.12.1-3+deb13u2_ppc64el.deb
Files:
 b67bb81f772efafae61b22583cc671df 102340 debug optional sogo-activesync-dbgsym_5.12.1-3+deb13u2_ppc64el.deb
 be1f60b624a5cf38bf16fc10ccbafe17 223080 mail optional sogo-activesync_5.12.1-3+deb13u2_ppc64el.deb
 fd80054188024204d465ff594565ebd1 1192856 debug optional sogo-dbgsym_5.12.1-3+deb13u2_ppc64el.deb
 0504a8d02b308eba3b1c4d9f6380fe39 13865 mail optional sogo_5.12.1-3+deb13u2_ppc64el-buildd.buildinfo
 f927df5d94cf551f184d8bfd877c0891 1299892 mail optional sogo_5.12.1-3+deb13u2_ppc64el.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEySUEQfg5pZeb/U372FRWNm40e2YFAmo8O4wACgkQ2FRWNm40
e2YJWxAAoatUFL2BlT8MZEqtvzbjiRCxJ1EK2ASYTP/5CcRmQDLXsUvuZQet7NLp
10GNPIH33evsMN3QpHpXMSE1g5D4PGb4532BWXYM/xKmrgDB6DpvoqKKXdMqfBGY
vbinI7DMJyArc+RHWC7fTgxRzL1ix5ck0HvgVEksrvS+yyAXwXinGjsvjf1qYB27
zH84rfcg4M29so/m5PWG7dsE/zXytdiUVOEH4e35xcIZR33ymcnyYSFQmLJZLpNM
Z30MOI+Ak/5GLM98rcs9CHfoHldWoYfr5bYIZ5pe1qhuLZCn1ndEb8VHCzOeWgo8
chUxsM6SK+KsIUt305e4hb61iwlMr3noXg8+BOPqhlDSLYjrrEdRUkt3QBZDSp93
hujlIy+piBRswK0m6wa+rtGgVmC/so8aPaArF6GzXtb6KWNMTSQB4EEP6B5G5P3u
gx8llCeqnATpMbWt1tOg7LkoXS0j345aN4ODdc9mXM3FOps4op7NqvxkxQBDXB83
j3InnDqme9gydyStvREpGLOWGOuHrQ6MzD4nS1KBVFfud/Y67CpuAvLD9gFmjfPf
r43fQGWxrGo89d3b2U3tCHqRWjJEIcnkTM8+wZzaqKeX7PEMm0zjbq2bKvXy5RTB
50PVeMCD0bOO7kfXBUql4w1AK2SdbWCtVIMXV1vbterHejlBDCQ=
=wCJ7
-----END PGP SIGNATURE-----