-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 15 Jun 2026 21:26:37 +0200 Source: sogo Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym Architecture: riscv64 Version: 5.12.1-3+deb13u2 Distribution: trixie-security Urgency: medium Maintainer: riscv64 Build Daemon (rv-manda-03) Changed-By: Peter Wienemann Description: sogo - Scalable groupware server sogo-activesync - Scalable groupware server - ActiveSync module Closes: 1130878 1131605 1131606 Changes: sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-3054: (Closes: #1130878) XSS via manipulation of the argument hint * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix openid validation: Verify that the returned email domain is authorized and that the user exists in the local source. * Add two patches to fix XSS in message subject rendering * Add three patches to fix message rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: 5d9e6419795f4131a8066cbd24e5c82cd19ea258 106152 sogo-activesync-dbgsym_5.12.1-3+deb13u2_riscv64.deb d26732d2831fd64d404b24f727e45e11aa2e7546 239296 sogo-activesync_5.12.1-3+deb13u2_riscv64.deb 657a1201d598afa59c6e22bff76a86da81a0e659 1233708 sogo-dbgsym_5.12.1-3+deb13u2_riscv64.deb 2d23df5d4102594d0882fc1da136e9a7c12bd154 13798 sogo_5.12.1-3+deb13u2_riscv64-buildd.buildinfo 71437e04081ea56068a995de670461023c5ffbae 1310616 sogo_5.12.1-3+deb13u2_riscv64.deb Checksums-Sha256: f5b0c8bf7f3800dcfc6cf44987e759fe1f4202a4772d51dc30dfcfb46b39f1b3 106152 sogo-activesync-dbgsym_5.12.1-3+deb13u2_riscv64.deb eca6a2d2f2c29090ca9d141890abde445f515109ac026e55730681605652c559 239296 sogo-activesync_5.12.1-3+deb13u2_riscv64.deb 904ade48fc0acd75d40eb593fedcf05715b27b82b3dff026673f94fbec759380 1233708 sogo-dbgsym_5.12.1-3+deb13u2_riscv64.deb ab2afecc887c5624ecf99ee600f226d5386fbab490c5aa705e3888c47dafb22e 13798 sogo_5.12.1-3+deb13u2_riscv64-buildd.buildinfo 798e68e49c0ef73e38762e3e5851de00a3b583d2698ed90d1163b10c805930e4 1310616 sogo_5.12.1-3+deb13u2_riscv64.deb Files: 6ad04134bffcda148173913c8b447034 106152 debug optional sogo-activesync-dbgsym_5.12.1-3+deb13u2_riscv64.deb 6f9cade4ec0366718a3589a2c5309b4d 239296 mail optional sogo-activesync_5.12.1-3+deb13u2_riscv64.deb 9b2796c7e5821247b841e9a7ca5e8b08 1233708 debug optional sogo-dbgsym_5.12.1-3+deb13u2_riscv64.deb a5b01e6f05565d775769fd50d91d248c 13798 mail optional sogo_5.12.1-3+deb13u2_riscv64-buildd.buildinfo 31d691186a5ce4140be906e2f87c46c4 1310616 mail optional sogo_5.12.1-3+deb13u2_riscv64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXZ9jHPkg/vETgMJZlJNduPxUf2oFAmo8PgkACgkQlJNduPxU f2oWkw/+KPrXG33rMPKsoj+X5T8JuzgJLUi59IYpnAvT9q4GJzn1iJipnIGZU7xd HmW8u3ujiNrnaabmgBxu21tLGFJOkot7xnISP6QGs00/FWdWx89HsGrZQMuZdAVj Lg2skp5+Z7C86C36brFcZgkzC/GT7TXVU19BgFYJ53PXMHbw51goOsvGpfm9+bbU XamFsZ70NYo13rC3KhH3BNlli/S+j+fIAWBH0PG0iAVRmDQVC2JGHT1RTZpmJiGP tIfrHGCPSQQn0OA2trAEfNiFd3TF4kM/8wicB1nNzCTMMdqPobZ+2YQCJvEYOTg/ UTquPuJv63KMPgCRY3GYewu7ZAFiLrojsb6tI8tcdoZlJz7YvEZJX8Z8rn1gkowP mBCUxOA6eFFWkQAkNz4d9AKrzYXjrBt8W8T++KR9X1EkZ0IlDDbM1XIEX7+jBHXn 7vpThI1H3AU9PmbocFfq1DLAXUwBxn0bSkGDa1cqJCTHQk7W7UeyXe7ikBWrCaik N/QuR0/U9oxjM0z9F6CTaMgOsF8CEqloe5KmtFXSimuWDTk4GN7IVqG6kCw2DseW MlYUUjRSgqRhEzPO23wJSS1EpYdm7BtSA3ZTAvfGZyV5Nt2qmAOJ53Jocq7+COvE 2XslBwCLwpfgj5Vegy+A4m5oeiAW/bV5wbNoP6LTtHt9O5D7bsg= =OwBX -----END PGP SIGNATURE-----