-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 15 Jun 2026 21:26:37 +0200 Source: sogo Architecture: source Version: 5.12.1-3+deb13u2 Distribution: trixie-security Urgency: medium Maintainer: Debian SOGo Maintainers Changed-By: Peter Wienemann Closes: 1130878 1131605 1131606 Changes: sogo (5.12.1-3+deb13u2) trixie-security; urgency=medium . * Non-maintainer upload. . [ Peter Wienemann ] * Add patch to fix CVE-2026-46445 and CVE-2026-46446: - CVE-2026-46445: SQL injection vulnerability when at least one user source is a PostgreSQL database - CVE-2026-46446: SQL injection vulnerability when at least one user source is an SQL database (MariaDB or PostgreSQL) and passwords are stored in plain text * Add patch to fix CVE-2025-71276: (Closes: #1131605) XSS with events, tasks and contacts categories * Add patch to fix CVE-2026-3054: (Closes: #1130878) XSS via manipulation of the argument hint * Add patch to fix CVE-2026-33550: (Closes: #1131606) TOTP vulnerabilities: - If a user disables/enables it, it is not renewed. - Length is too short (12 rather than recommended 20). * Add patch to fix CVE-2026-8496: A maliciously crafted ICS calendar invitation file allows arbitrary JavaScript execution within the authenticated SOGo webmail session. * Add patch to fix a regression introduced by fix for CVE-2026-8496 * Add patch to fix CVE-2026-8851: SQL injection vulnerability in the access control list management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. * Add patch to fix folder path in fix for CVE-2026-8851 * Add patch to fix openid validation: Verify that the returned email domain is authorized and that the user exists in the local source. * Add two patches to fix XSS in message subject rendering * Add three patches to fix message rendering . [ Jordi Mallach ] * Add upstream patch to fix impersonation issues when importing events. Checksums-Sha1: d4d3c241b9593935c0185e1b90d0b6cc81e07add 2439 sogo_5.12.1-3+deb13u2.dsc 2277cc8a301d34638e2fcb653e2f1fa5540c3a43 37738293 sogo_5.12.1.orig.tar.gz cd98ef2a20483d46f59aaddc1e94f08042e875b4 40264 sogo_5.12.1-3+deb13u2.debian.tar.xz 5831903e8e96c1a7e06ac9b446f5c422004a2dcf 14445 sogo_5.12.1-3+deb13u2_amd64.buildinfo Checksums-Sha256: 5064373fef653a424340f0e6f83729af86f2e098117cb637e4e3e4312a806968 2439 sogo_5.12.1-3+deb13u2.dsc b51d39b31af9a6059db79a18201f3c6cfd584468e369eebe286f8181804bcd99 37738293 sogo_5.12.1.orig.tar.gz cfb745ac3152d71e939a97179ee8dde773abca57328a880dbbb2cf23191d4a78 40264 sogo_5.12.1-3+deb13u2.debian.tar.xz 98c62d38e51220504d104146c23170c274ba81d2d557d7e05fa261128ab96710 14445 sogo_5.12.1-3+deb13u2_amd64.buildinfo Files: 605152ee8092574788c037e6596fe910 2439 mail optional sogo_5.12.1-3+deb13u2.dsc 75a0eb739c62a497cf33f55df739c9b3 37738293 mail optional sogo_5.12.1.orig.tar.gz f35ddd2b06d873d24d12d15fc284865f 40264 mail optional sogo_5.12.1-3+deb13u2.debian.tar.xz 2dfa4aa0d6ab1666666d7166c5980d2c 14445 mail optional sogo_5.12.1-3+deb13u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEBrYs08CqJ6RHEajlAuXO5wyFLHsFAmo8Nb1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDA2 QjYyQ0QzQzBBQTI3QTQ0NzExQThFNTAyRTVDRUU3MEM4NTJDN0IACgkQAuXO5wyF LHsTKxAApOAhdeGvoyhAUUgwKlLOqbExwhMqOsHMfvc8dQjwu+gZ26Idyh2Re1pV FxmEZGtDVcyT0oc2DwhPqVBflNP0tWVdYJoLKaN26yh6Pa/rfcyYL0O8APcsaORh vkOi6F+KugyfLX1zQ8VctqSdZOX/TgrFN7SV8/AXUMzgqN80OUzsEdhd1EFRS/rh iFS7Vgs4XWgjNrngxTQLnFn7MqbVxGp3YturfrpvplXdlyYbpgAaMe4ybAjtpsck o2AePuwcN/5sNy67WSL3Gi2tOkGnADoXOLBoN9gzopMcxOrPGuqWVurM7lXHufYv SqpV34f0C8Cx3SmFC4PiORaAzoZZkT90N+nevnSwWLife/gJiJYacU+Zoj7xTWcZ JcgmfMv924uHwU9/8grqwmGouGx9Y/vySfSkV/jupuBi6sWf1TrBBMs+HPcpeBnH APG6OAQKHhgadloeGmC2HAnd3l2Nu2vQ+4f6iBBdwyke0BlJS9zrlTJKNzk3dhqM HOJiumzIpdmJNI6Dy/9gNmles32UHiywzLhANyNLj0sa3fxOtetYkUnYS6jJ4hS+ fOE9vyNIVJQVmVthJrfF1Iwva1P7NW6sJf4nDDbsVEWqwk6p2NbV1EcgyM5Xeqnr oE6VXBgxYIdTsn5epR8dtcvRaCrECCu4dHBOMowWo48nS8vsAOs= =fpOo -----END PGP SIGNATURE-----