-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Jun 2026 21:26:37 +0200
Source: sogo
Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym
Architecture: arm64
Version: 5.12.1-3+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: arm64 Build Daemon (arm-ubc-02) <buildd_arm64-arm-ubc-02@buildd.debian.org>
Changed-By: Peter Wienemann <wiene@debian.org>
Description:
 sogo       - Scalable groupware server
 sogo-activesync - Scalable groupware server - ActiveSync module
Closes: 1130878 1131605 1131606
Changes:
 sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium
 .
   * Non-maintainer upload.
 .
   [ Peter Wienemann ]
   * Add patch to fix CVE-2026-46445 and CVE-2026-46446:
     - CVE-2026-46445: SQL injection vulnerability when at least one user
       source is a PostgreSQL database
     - CVE-2026-46446: SQL injection vulnerability when at least one user
       source is an SQL database (MariaDB or PostgreSQL) and passwords are
       stored in plain text
   * Add patch to fix CVE-2025-71276: (Closes: #1131605)
     XSS with events, tasks and contacts categories
   * Add patch to fix CVE-2026-3054: (Closes: #1130878)
     XSS via manipulation of the argument hint
   * Add patch to fix CVE-2026-33550: (Closes: #1131606)
     TOTP vulnerabilities:
     - If a user disables/enables it, it is not renewed.
     - Length is too short (12 rather than recommended 20).
   * Add patch to fix CVE-2026-8496:
     A maliciously crafted ICS calendar invitation file allows arbitrary
     JavaScript execution within the authenticated SOGo webmail session.
   * Add patch to fix a regression introduced by fix for CVE-2026-8496
   * Add patch to fix CVE-2026-8851:
     SQL injection vulnerability in the access control list
     management functionality that allows authenticated users to extract
     arbitrary data from the database by injecting SQL subqueries through
     the uid parameter of the addUserInAcls endpoint.
   * Add patch to fix folder path in fix for CVE-2026-8851
   * Add patch to fix openid validation:
     Verify that the returned email domain is authorized and that the
     user exists in the local source.
   * Add two patches to fix XSS in message subject rendering
   * Add three patches to fix message rendering
 .
   [ Jordi Mallach ]
   * Add upstream patch to fix impersonation issues when importing events.
Checksums-Sha1:
 050504fbbf0b62903eda6cef772232be320b6196 101428 sogo-activesync-dbgsym_5.12.1-3+deb13u2_arm64.deb
 49e54f636e26630c90532ae02554d5dcd1d28697 224260 sogo-activesync_5.12.1-3+deb13u2_arm64.deb
 5f3f0a8c93972ba8488c66b2e6969e5cad4ad288 1188256 sogo-dbgsym_5.12.1-3+deb13u2_arm64.deb
 8c22c8cd033188fcf6a3007c688c6dea7158da7e 13826 sogo_5.12.1-3+deb13u2_arm64-buildd.buildinfo
 9f478b27f059ebb41c0e3dd760ecc282d53bbf41 1275388 sogo_5.12.1-3+deb13u2_arm64.deb
Checksums-Sha256:
 ea3b418cc8b5b224356c13b0370120f64fb0f0c9b07adde9a4db99063b288f9d 101428 sogo-activesync-dbgsym_5.12.1-3+deb13u2_arm64.deb
 f6357b0a62f1fc1d9d6354f353164829b6e93436fb2cd17b91115acaec65b80f 224260 sogo-activesync_5.12.1-3+deb13u2_arm64.deb
 8bf2d7f2b13f2212a8cf999a40be4afce0cfd917a8f03ab085db0db34151b9f2 1188256 sogo-dbgsym_5.12.1-3+deb13u2_arm64.deb
 527d4b6be5a2af4835ae8770462237e7a79d315ae9cc5e712f48cae6d653f3bc 13826 sogo_5.12.1-3+deb13u2_arm64-buildd.buildinfo
 8db01aa5cd6fcce01f1b0c6a333361b756fcf20c6eeb91452699afc7115b47fc 1275388 sogo_5.12.1-3+deb13u2_arm64.deb
Files:
 df8bbb74c5913a95fc1ac4874bdd3bff 101428 debug optional sogo-activesync-dbgsym_5.12.1-3+deb13u2_arm64.deb
 5a945e68ad6fe874f95aca2468dcdc44 224260 mail optional sogo-activesync_5.12.1-3+deb13u2_arm64.deb
 dc5b3689147ec329a12151171d515e9e 1188256 debug optional sogo-dbgsym_5.12.1-3+deb13u2_arm64.deb
 3f0ea6e40b2c3cf8b623a5f4c4ceb770 13826 mail optional sogo_5.12.1-3+deb13u2_arm64-buildd.buildinfo
 05b4b02b13b1334f90783b1674a2fa60 1275388 mail optional sogo_5.12.1-3+deb13u2_arm64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEJkN0BnKzGWWW6tS+G5VHrWJmwgcFAmo8O2gACgkQG5VHrWJm
wgc14BAAwzPkgEWi7r9IfdVfJ6pe1B9EysoLsbmrlVLE7RHXGg5cEDot4/h5lIpP
qXd5H6Yuta4KMsktDmLarOh0iKx1oG4AQg7PzCF3Xhq6/TFWqcXBl+jykM5qourq
/cZ//Z8JqtSnX3c7/oIajs2AEUSntfKRdC2Ff7FtGyEPgSAb3q25MFLmta59iaZp
7ll+4U9TtVcgSIlIybelS4akPtj7hcXyFuqXqaP4yKQSX8Xs8y2QWf+d+RgOL8xT
O1Rp++tZfGA6ZJ3DJTtlLiEKRClanFHGLKecAt96mdl2AdvhQyL44zbPxsDQtUaj
2LLG1/0ZW+BBAFH4HluznQ/dJt3RX/9wNFQ27z9U7gdX71eUcwdNEJr17KUtY32N
wO7cL5B23oniuGxaj5aZRfme4M2hrx8zsht0o5Xec7vIbC6R7zTwuvEkBn/lnCq8
o6rgnJQmCC1XLL4G+4Bgti8HZYvvksuk57J68veGeiDCaVLI7ovU7Xg+bUU27tdx
wcts+59TY5xawUITbf/zYoVtolUmF5xDeHVY2iYUGcR1mIJ6/u86d7pomsfPaZLd
KcDJaLFsHoJiLGF/+ebpCIW0ghxY3lFiExbKMQngoUDi3D33+vpM9IMdpTPnyj4O
cyvspGU29dp61BdS7NAeUUuo9nMweJSaiz2bzx1WDd2HLind+DE=
=AYAW
-----END PGP SIGNATURE-----