-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Jun 2026 21:26:37 +0200
Source: sogo
Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym
Architecture: armel
Version: 5.12.1-3+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: armel Build Daemon (arm-conova-03) <buildd_arm64-arm-conova-03@buildd.debian.org>
Changed-By: Peter Wienemann <wiene@debian.org>
Description:
 sogo       - Scalable groupware server
 sogo-activesync - Scalable groupware server - ActiveSync module
Closes: 1130878 1131605 1131606
Changes:
 sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium
 .
   * Non-maintainer upload.
 .
   [ Peter Wienemann ]
   * Add patch to fix CVE-2026-46445 and CVE-2026-46446:
     - CVE-2026-46445: SQL injection vulnerability when at least one user
       source is a PostgreSQL database
     - CVE-2026-46446: SQL injection vulnerability when at least one user
       source is an SQL database (MariaDB or PostgreSQL) and passwords are
       stored in plain text
   * Add patch to fix CVE-2025-71276: (Closes: #1131605)
     XSS with events, tasks and contacts categories
   * Add patch to fix CVE-2026-3054: (Closes: #1130878)
     XSS via manipulation of the argument hint
   * Add patch to fix CVE-2026-33550: (Closes: #1131606)
     TOTP vulnerabilities:
     - If a user disables/enables it, it is not renewed.
     - Length is too short (12 rather than recommended 20).
   * Add patch to fix CVE-2026-8496:
     A maliciously crafted ICS calendar invitation file allows arbitrary
     JavaScript execution within the authenticated SOGo webmail session.
   * Add patch to fix a regression introduced by fix for CVE-2026-8496
   * Add patch to fix CVE-2026-8851:
     SQL injection vulnerability in the access control list
     management functionality that allows authenticated users to extract
     arbitrary data from the database by injecting SQL subqueries through
     the uid parameter of the addUserInAcls endpoint.
   * Add patch to fix folder path in fix for CVE-2026-8851
   * Add patch to fix openid validation:
     Verify that the returned email domain is authorized and that the
     user exists in the local source.
   * Add two patches to fix XSS in message subject rendering
   * Add three patches to fix message rendering
 .
   [ Jordi Mallach ]
   * Add upstream patch to fix impersonation issues when importing events.
Checksums-Sha1:
 721c01742753d5dc102e6a089639b9a05e4de185 105820 sogo-activesync-dbgsym_5.12.1-3+deb13u2_armel.deb
 3d520fc3c167e789f454074a72e42732b343a9c2 259116 sogo-activesync_5.12.1-3+deb13u2_armel.deb
 aaf84e1884aa030470c248eea803b4f2ead00f42 1264332 sogo-dbgsym_5.12.1-3+deb13u2_armel.deb
 9fc8dd5213c3219f392419c4e96650d52a2014e3 13665 sogo_5.12.1-3+deb13u2_armel-buildd.buildinfo
 7afed8d12bd3d19ae325add0c3c6eb840b59c455 1353280 sogo_5.12.1-3+deb13u2_armel.deb
Checksums-Sha256:
 823c7e20fa42db04e14d681edeb4ec673ffcdaf02f4fd69bb45f045e38fc5b9c 105820 sogo-activesync-dbgsym_5.12.1-3+deb13u2_armel.deb
 c64b04750bd2b7e5e318a0c7dfbb2a5d003d535da687c6971c31ae1325f891cc 259116 sogo-activesync_5.12.1-3+deb13u2_armel.deb
 d1bad47857bf01f64ac3bc22f78a40652607a7e047813339cf839ff3e50cc06a 1264332 sogo-dbgsym_5.12.1-3+deb13u2_armel.deb
 24b12c370a1535361d071ed9bc3897f309af420eb8b616fe80aab2044e165b59 13665 sogo_5.12.1-3+deb13u2_armel-buildd.buildinfo
 5c9f23f0b601a8732966554d12d861476ee91205ceab497e6d49bca8fc395d66 1353280 sogo_5.12.1-3+deb13u2_armel.deb
Files:
 907548c2c27640a031f73c608a9a08f7 105820 debug optional sogo-activesync-dbgsym_5.12.1-3+deb13u2_armel.deb
 319a6d1b28abcd80ce6056850f81b587 259116 mail optional sogo-activesync_5.12.1-3+deb13u2_armel.deb
 2882192062cc9223f8f12424aa8bf38e 1264332 debug optional sogo-dbgsym_5.12.1-3+deb13u2_armel.deb
 9b9bdf81ef57ba3f9344e2406079c3f6 13665 mail optional sogo_5.12.1-3+deb13u2_armel-buildd.buildinfo
 d23560e308fb468cb772b9369dd8cfa9 1353280 mail optional sogo_5.12.1-3+deb13u2_armel.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEElFiH1oZRZh1t4FSiXVp1sEH/1mIFAmo8O2wACgkQXVp1sEH/
1mLibw/+Kb78EA5Q4y/+QW3HtPYRAss5dRiCOtbZYG2z1T2UKRra61/9zJMGhfcP
z7ujC3zGZhqWyUVf+hRmjvjkZ2+CGKyheAACi5LtMq4tcZx9mfELl6IJFxI7Ce4f
m1SeJoxcYWtWDtWutWm2ZIRN7biWRweLe51+7djqbtG9GlRWNBjkwv9GRmWMCCzT
0NofLj+vqbu1Vk3CJywqf14Frc+Q1Py3KwBfcVI1KJ/Ou1//BT5IrlljbKkMwf6M
NURYU6rXneHr9Wl9sXNxAMmoHwX//ZnS73LOvs5DS9i6TRXmJnmaQJgT0PHqaG/1
0rJaFRMt7I3JA9CmozhTUgIR0Pb5Xoyg/lSetcNqPh56qDwikZ+azQfC7duDYP4y
0Tvfokijk6hVDC/fGzBbPsV3ZixWcWTnDFlP8RXbr33gz6kYhe0Sxs3Llz+O7mLQ
FV2L/e8Hg+cf7FR77EEYBxUzfb5M2lI0M8lldKwsV3pElhG7KOea0V3vR8jXEfSd
dNMyozcAkox/K9Z+AOu8yr6YitnaMsuXgDLmjVjyKSxTW/39qzYE9shf+ZevR0Ve
DkEhxh/nnDVKgK+jNKpDJZCfOfmMGGd8JxfgeaBqvUZXmGKN7Gyu7zaqb7/Ns7at
AAJNtfpSqfHjCzUeJWJLPvk3sKED8qJGJOShskeg0Cyf/PTYGUI=
=xCOI
-----END PGP SIGNATURE-----