-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 15 Jun 2026 21:26:37 +0200 Source: sogo Binary: sogo-common Architecture: all Version: 5.12.1-3+deb13u2 Distribution: trixie-security Urgency: medium Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Peter Wienemann Description: sogo-common - Scalable groupware server - common files Closes: 1130878 1131605 1131606 Changes: sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-3054: (Closes: #1130878) XSS via manipulation of the argument hint * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix openid validation: Verify that the returned email domain is authorized and that the user exists in the local source. * Add two patches to fix XSS in message subject rendering * Add three patches to fix message rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: 9ef00f938e7712fc740eec5a3a3206d00b448818 18606844 sogo-common_5.12.1-3+deb13u2_all.deb 00365e0cd1d23b014864e1d76e40d83da1f891b7 12923 sogo_5.12.1-3+deb13u2_all-buildd.buildinfo Checksums-Sha256: b9c09253b842d68c2b715e8ad1d673d8a98fc1d2af3d640ed5315cc6592062a1 18606844 sogo-common_5.12.1-3+deb13u2_all.deb 9623fd1851351386318cb9148ac8cb7d508d71b1e7b8f5e58a4860b682a71c33 12923 sogo_5.12.1-3+deb13u2_all-buildd.buildinfo Files: b50c976ce156a35a813cdcd215b3c208 18606844 mail optional sogo-common_5.12.1-3+deb13u2_all.deb 39d8d4ebe189b6141c433e3025898486 12923 mail optional sogo_5.12.1-3+deb13u2_all-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmo8O3sACgkQmgPNRvTf /zdHYQ//eHzFFskkvDh368AxHAW9mz7+tH+NXojMeMz9bjTaRLIuKMjOAZ9OH/6W K/x2IQ6C71JLxvrbKXPR5naHuh3uwPeY2sXf7DGmAHLWTh91CQEhbNmNzstt8FY6 xG1g5ycjaB2H+Zm57VuFYmCMVNaEs8UNSjssQTg7tDgjesJLm/3ElByw8VKgd8cp 9x/fzwmaK1vpcgeTZ4SefrLWNng4JJlY/yYZ6yOig0D1vRXv9AkxOD0q1GR/ZDD7 qZIoOAqVb4k4uUbrSvcB0bXhyUpcV6zRYLNSAfJof6YV3dXJTiImtNkEuinUbR+K FaXE46JTNZzXGL6fEMh4I76wI/HSNDPcadW0VFXnVN/s57mKfD8iqnAyvZmoGyYi iMNviz9rHiYDoDzoMQWWSXfTTvjnBx7Q7my3Xi/xXO/kcfsuznkPo4t307IsIchy 3um/vINQFpy5sH4QU+auUt5lxx/9359cE8ae0XPKQCynhhis0fdRmDhBfLv4RDWU VeXluDZ5zROCd3iewBIud7mxIBjxbTG1Sdv5uRNyZIMZ+RvgGQjLXf5SeZQRl9/X fVjwV3mIchgfwUIYrQbDVYyyexEYZhEddk2sM7LJyNz+m8s9NQyYrz+iLyDa81eI VBmFy8zI4f98kOe7Rv2nYYGJnSrypZ+voXduIiVHDCgvoQ1bvKE= =HPNr -----END PGP SIGNATURE-----