-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Jun 2026 21:26:37 +0200
Source: sogo
Binary: sogo sogo-activesync sogo-activesync-dbgsym sogo-dbgsym
Architecture: s390x
Version: 5.12.1-3+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: s390x Build Daemon (zani) <buildd_s390x-zani@buildd.debian.org>
Changed-By: Peter Wienemann <wiene@debian.org>
Description:
 sogo       - Scalable groupware server
 sogo-activesync - Scalable groupware server - ActiveSync module
Closes: 1130878 1131605 1131606
Changes:
 sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium
 .
   * Non-maintainer upload.
 .
   [ Peter Wienemann ]
   * Add patch to fix CVE-2026-46445 and CVE-2026-46446:
     - CVE-2026-46445: SQL injection vulnerability when at least one user
       source is a PostgreSQL database
     - CVE-2026-46446: SQL injection vulnerability when at least one user
       source is an SQL database (MariaDB or PostgreSQL) and passwords are
       stored in plain text
   * Add patch to fix CVE-2025-71276: (Closes: #1131605)
     XSS with events, tasks and contacts categories
   * Add patch to fix CVE-2026-3054: (Closes: #1130878)
     XSS via manipulation of the argument hint
   * Add patch to fix CVE-2026-33550: (Closes: #1131606)
     TOTP vulnerabilities:
     - If a user disables/enables it, it is not renewed.
     - Length is too short (12 rather than recommended 20).
   * Add patch to fix CVE-2026-8496:
     A maliciously crafted ICS calendar invitation file allows arbitrary
     JavaScript execution within the authenticated SOGo webmail session.
   * Add patch to fix a regression introduced by fix for CVE-2026-8496
   * Add patch to fix CVE-2026-8851:
     SQL injection vulnerability in the access control list
     management functionality that allows authenticated users to extract
     arbitrary data from the database by injecting SQL subqueries through
     the uid parameter of the addUserInAcls endpoint.
   * Add patch to fix folder path in fix for CVE-2026-8851
   * Add patch to fix openid validation:
     Verify that the returned email domain is authorized and that the
     user exists in the local source.
   * Add two patches to fix XSS in message subject rendering
   * Add three patches to fix message rendering
 .
   [ Jordi Mallach ]
   * Add upstream patch to fix impersonation issues when importing events.
Checksums-Sha1:
 65cf40c9185dbc5e5ceae456ea4052780c6decf5 103512 sogo-activesync-dbgsym_5.12.1-3+deb13u2_s390x.deb
 8fd987776510313b59593d5c827a1a9929104b76 239084 sogo-activesync_5.12.1-3+deb13u2_s390x.deb
 dafdb739b82cad523bc1fe7e0786655d786d0606 1191264 sogo-dbgsym_5.12.1-3+deb13u2_s390x.deb
 b31d387d88408253ea0abf1e3320b8a0e22f4493 13609 sogo_5.12.1-3+deb13u2_s390x-buildd.buildinfo
 75fd16ece37cec2acaea414088abd83092a56e41 1371528 sogo_5.12.1-3+deb13u2_s390x.deb
Checksums-Sha256:
 26c70a0bd669690ad1b0ccaebec7f834d21570e484c1f1a116d53895277128f7 103512 sogo-activesync-dbgsym_5.12.1-3+deb13u2_s390x.deb
 a30650fc185a89a34bfc0d059f03fad986b14b4d0cbb8e804f6e7daefc94be11 239084 sogo-activesync_5.12.1-3+deb13u2_s390x.deb
 2fe02c5976e783cab03601258451d2151b0918d02d715074b324638c29d2d396 1191264 sogo-dbgsym_5.12.1-3+deb13u2_s390x.deb
 0c29368527dea1b7caff0b17a27a3f1145f0bebc9aafb8934e8858d0c093442e 13609 sogo_5.12.1-3+deb13u2_s390x-buildd.buildinfo
 3a31bec54fb75d4ac1497244b65730d16099efe4aa4593902a837e738b07f182 1371528 sogo_5.12.1-3+deb13u2_s390x.deb
Files:
 aa8d090b0a6e055f14c29e50bb42fd52 103512 debug optional sogo-activesync-dbgsym_5.12.1-3+deb13u2_s390x.deb
 7b1dd41e094213f8e3c909ae595ab1d5 239084 mail optional sogo-activesync_5.12.1-3+deb13u2_s390x.deb
 3587789215c568e3106a58dd4eeb0537 1191264 debug optional sogo-dbgsym_5.12.1-3+deb13u2_s390x.deb
 3888dc42b07f3fad446a5e9263bbf688 13609 mail optional sogo_5.12.1-3+deb13u2_s390x-buildd.buildinfo
 e92f899204e24b4c675cbe26458d9653 1371528 mail optional sogo_5.12.1-3+deb13u2_s390x.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgh4msZ+e2PZfd5KckaCrxAR3BY0FAmo8OxsACgkQkaCrxAR3
BY0JIA//f2I8raXyoIQO3MwYerHsXNbGEErZU8U9+4h2+pT7+4c93JM4IvXNGw6L
VwmXVihmsTWtGp9eZ58igI6rjSchePiTAy5cp/30RhwxZ3Gvk0u8RbNfnJVUJysn
CONs6qYyTeiz+u/byghz0IOOLoTFe4d3Cf8FfIofpJrpVpJeE5i0pB97SkPCVCkL
6GNkZeVrUF3Sga3nDfN5k4E9Gl4SziCVnTLpA6FUvqeK5W0bA82XFiHtTnf4tm33
xHYGrxdlZgQrHmZhG4rTQu1lj+iN1srxEsteEhvmsvvkIaOo9RSNStkwGc/g6X8i
BMY8gs96r8ZqHEzUbB5VJ1GrPsswYZWnljQns07lFbTTPB0IhTQ2ljr0TZMYcpdQ
VCDWtkWuChaZGy5cmuqa3PKj+Uygk2mqMC/Ku0arqrBA4/xdYhkYza6SPmnQbhVe
Qw5AgVWKTkLufoctRVfm+UILRAH1CEV0PzzMm6Yox+7MmxK3V6bIaA8POzbbsWmG
41cQG/huS/pca6GG1DYeqctR0MQ5Lx7aGhjmkoWsjQWO0zKKYhgReA3sBNgRBR3B
bDuiS9FA+/eRsJhnBxNomCX4sWhbHJHl0J1iRXyR8LahRqNx7pomdkwumLDHdbcu
Rswr60UdbwHvr5LETWzJthGJ8j8/8uYv39Fudo6sZFJo8bCJo9M=
=KXMT
-----END PGP SIGNATURE-----