-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Jun 2026 21:26:37 +0200
Source: sogo
Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym
Architecture: armhf
Version: 5.12.1-3+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: armhf Build Daemon (arm-ubc-05) <buildd_arm64-arm-ubc-05@buildd.debian.org>
Changed-By: Peter Wienemann <wiene@debian.org>
Description:
 sogo       - Scalable groupware server
 sogo-activesync - Scalable groupware server - ActiveSync module
Closes: 1130878 1131605 1131606
Changes:
 sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium
 .
   * Non-maintainer upload.
 .
   [ Peter Wienemann ]
   * Add patch to fix CVE-2026-46445 and CVE-2026-46446:
     - CVE-2026-46445: SQL injection vulnerability when at least one user
       source is a PostgreSQL database
     - CVE-2026-46446: SQL injection vulnerability when at least one user
       source is an SQL database (MariaDB or PostgreSQL) and passwords are
       stored in plain text
   * Add patch to fix CVE-2025-71276: (Closes: #1131605)
     XSS with events, tasks and contacts categories
   * Add patch to fix CVE-2026-3054: (Closes: #1130878)
     XSS via manipulation of the argument hint
   * Add patch to fix CVE-2026-33550: (Closes: #1131606)
     TOTP vulnerabilities:
     - If a user disables/enables it, it is not renewed.
     - Length is too short (12 rather than recommended 20).
   * Add patch to fix CVE-2026-8496:
     A maliciously crafted ICS calendar invitation file allows arbitrary
     JavaScript execution within the authenticated SOGo webmail session.
   * Add patch to fix a regression introduced by fix for CVE-2026-8496
   * Add patch to fix CVE-2026-8851:
     SQL injection vulnerability in the access control list
     management functionality that allows authenticated users to extract
     arbitrary data from the database by injecting SQL subqueries through
     the uid parameter of the addUserInAcls endpoint.
   * Add patch to fix folder path in fix for CVE-2026-8851
   * Add patch to fix openid validation:
     Verify that the returned email domain is authorized and that the
     user exists in the local source.
   * Add two patches to fix XSS in message subject rendering
   * Add three patches to fix message rendering
 .
   [ Jordi Mallach ]
   * Add upstream patch to fix impersonation issues when importing events.
Checksums-Sha1:
 e3d44cf1b47d7c2461978b06b47ef7042755e512 107608 sogo-activesync-dbgsym_5.12.1-3+deb13u2_armhf.deb
 4dfc234146ca8bfe960449e1e60f72d948e3ea86 258216 sogo-activesync_5.12.1-3+deb13u2_armhf.deb
 e2ad363c93133628691d27a7f912a0c130982fbe 1275712 sogo-dbgsym_5.12.1-3+deb13u2_armhf.deb
 ea83d6f80c69769dc521cb303f4a2726e514b92f 13685 sogo_5.12.1-3+deb13u2_armhf-buildd.buildinfo
 0f1be13d88dadb4b5be9f4d38c550fc05856720c 1347228 sogo_5.12.1-3+deb13u2_armhf.deb
Checksums-Sha256:
 bf8560dc3c25458841c7c239f61c52610b7bdf5accb08ee89a4e73d422b6d2df 107608 sogo-activesync-dbgsym_5.12.1-3+deb13u2_armhf.deb
 7c6be4f94c0f857afa02a34d89a5932c02df27e2080b56eeb2972bf5fbe39a39 258216 sogo-activesync_5.12.1-3+deb13u2_armhf.deb
 a9a8fa9fd426c42581df8d734497414287e5ac0a2cddea8cc4c1234a99572e13 1275712 sogo-dbgsym_5.12.1-3+deb13u2_armhf.deb
 dd970b05f2b5ad2bc04a01dc90357b322c74d7447ed15b5c1ef656e6eb050f04 13685 sogo_5.12.1-3+deb13u2_armhf-buildd.buildinfo
 55de7187bfb7dd913116f6c207a808f3211f0b0045102a589cefd0a786e048b7 1347228 sogo_5.12.1-3+deb13u2_armhf.deb
Files:
 b4de56a42756adc554703ffc41098c8c 107608 debug optional sogo-activesync-dbgsym_5.12.1-3+deb13u2_armhf.deb
 ac8a9b44d03eaf818a9ccc6ac89e3bdf 258216 mail optional sogo-activesync_5.12.1-3+deb13u2_armhf.deb
 4b00739bc794f993273093ed262a4e36 1275712 debug optional sogo-dbgsym_5.12.1-3+deb13u2_armhf.deb
 10a5182e71398c53e6494a675b46553d 13685 mail optional sogo_5.12.1-3+deb13u2_armhf-buildd.buildinfo
 1ad6340ce7f2d3df9042e76e08c25fc8 1347228 mail optional sogo_5.12.1-3+deb13u2_armhf.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7rv+l3KtZdQea77lnwznazfjXToFAmo8O3wACgkQnwznazfj
XTohUhAA7cI4uVqfnDXpeq8LFpLRF4ZL1aR3h6T4ycAo003sXApC2Ry7zVa+jcau
ZzEdUp/vVzyRh+wAQU/RkGv1NPBoK+qEE/iS4RwRyAh1nfV0VYzh12Te1IfO7GdH
WyF3aeLH4uW83pTmEn3VnMgb0eCXeQ/NOvIqpjsAyUB1HmUyKqKb7/CI/d6uOzKW
cASVhnIxjVyFtpPla3ZOy5xU9+esvoqNSLcMZ7NQM5Fsi1ZOQmbhmX4jMyUHaoM0
gVNrW4PWm4JCue3HK9yT4j59CEz8afya4YpGw8ExXuCDJVmfQYmnljRBUYexvrCr
7/2fvTpZsoX8BIQstX5/Iizzj0PLAj61lP+5hivHFAHPLfiKWw9az66xFL4+DMih
3V9lCRiUXjPsJMamOCyO/X66bhhJ3mejwt99MLIhvK+uGNNY7zCaWUSbqCqu8AoU
GiqgdYYbw6lW5M+j/78HoaKHtidQh1DA4rOHRG5N/cexnBWAFZKdwis51ltALDF6
I3JhQshHAT0OJJ3X49jUaOSHg4QXrkK83z/LQVCpYAP8FUX79gWxn7l1g3AfrmSX
PKSIyEW/GohYbVacQPaDZQK0KkuVN7TZneB7SdvTZ8F0YDAHpGranhm+Wu8EJyo+
WEwp04OHlIhDgUj3s//NU9tpursGjuPdvM9gM6L2vvuDB6w1VE4=
=JcI7
-----END PGP SIGNATURE-----