-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 12 Jul 2025 14:39:06 +0100 Source: libsoup3 Binary: gir1.2-soup-3.0 libsoup-3.0-0 libsoup-3.0-0-dbgsym libsoup-3.0-dev libsoup-3.0-tests libsoup-3.0-tests-dbgsym Architecture: amd64 Version: 3.2.3-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Simon McVittie Description: gir1.2-soup-3.0 - GObject introspection data for the libsoup HTTP library libsoup-3.0-0 - HTTP library implementation in C -- Shared library libsoup-3.0-dev - HTTP library implementation in C -- Development files libsoup-3.0-tests - HTTP library implementation in C -- installed tests Closes: 1052551 1054962 1059773 1064744 1077962 1087416 1087417 1098315 1099119 1100509 1100541 1101922 1102471 1104456 Changes: libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium . * Team upload . [ Jeremy BĂ­cha ] * d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests (Closes: #1064744, #1054962) . [ Simon McVittie ] * Re-export patch series (no functional changes) * New upstream old-stable release 3.2.3 - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is believed that this cannot happen on the client side, but it can happen in SoupServer. (CVE-2024-52531, Closes: #1087417) - Avoid an infinite loop in WebSocket processing which can cause a denial of service via resource exhaustion (CVE-2024-52532, Closes: #1087416) - Fix denial of service (crash) when parsing invalid data URLs (CVE-2025-32051) - Fix heap overflows during content sniffing (CVE-2025-32052, libsoup3 equivalent of #1102214) (CVE-2025-32053, libsoup3 equivalent of #1102215) - Fix an integer overflow during parameter serialization (CVE-2025-32050, libsoup3 equivalent of #1102212) * Fix a regression introduced in 3.2.3 by backporting its fixes from 3.6.5: - d/p/sniffer-Fix-potential-overflow.patch, d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch: Fix more heap buffer overflows during content sniffing (CVE-2025-2784; libsoup3 equivalent of #1102208) - d/source/include-binaries: Configure dpkg to accept non-text diffs in test data for CVE-2025-2784 * d/p/server-Add-note-about-recommended-usage.patch: Update documentation to indicate the level of security support for the server side. Upstream clarified the documentation in 3.6.1 to state that SoupServer is not intended to be exposed to untrusted clients. (Related to CVE-2024-52531, CVE-2024-52532) * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch: Add test coverage related to CVE-2024-52531 * Backport additional CVE fixes from upstream release 3.5.2: - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch: Reject HTTP headers if they contain NUL bytes (CVE-2024-52530, libsoup3 equivalent of #1088812) * Backport additional CVE fixes from upstream release 3.6.2: - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch: Fix denial of service when sniffing type of a short resource (CVE-2025-32909, libsoup3 equivalent of #1103517) - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch, d/p/auth-digest-Handle-missing-nonce.patch, d/p/auth-digest-Fix-leak.patch: Fix denial of service (crash) during client-side authentication (CVE-2025-32910, libsoup3 equivalent of #1103516) - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch, d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch: Fix memory management of message headers. (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515) - d/p/soup_header_parse_quality_list-Fix-leak.patch: Fix a memory leak (slow denial of service) in quality list parsing (CVE-2025-46420, libsoup3 equivalent of #1104055) * Backport additional CVE fixes from upstream release 3.6.5: - d/p/auth-digest-Handle-missing-nonce-1.patch, d/p/digest-auth-Handle-NULL-nonce.patch: Fix additional denial of service issues related to CVE-2025-32910 (CVE-2025-32912, libsoup3 equivalent of #1103516) - d/p/headers-Handle-parsing-edge-case.patch, d/p/headers-Handle-parsing-only-newlines.patch: Fix denial of service (crash) in http server header parsing (CVE-2025-32906, libsoup3 equivalent of #1103521) - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch: Fix credentials disclosure on cross-origin redirect (CVE-2025-46421, libsoup3 equivalent of #110405) * d/control: libsoup-3.0-tests Depends on ca-certificates (Equivalent of #1054962, #1064744 for autopkgtests) * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch: Add patch from upstream fixing a use-after-free during disconnection. In particular this resolves a hang during gnome-calculator startup, when it downloads currency conversion data. (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456, #1100541, #1101922, #1102471, #1059773) * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch: Add patch from upstream fixing another use-after-free during disconnect. (Related to #1077962, etc.) Checksums-Sha1: fc0fa92dc169a76988c67d5bb65e8347d700fa30 27592 gir1.2-soup-3.0_3.2.3-0+deb12u1_amd64.deb 08dbbc7f00a7abe362cacb89dcbe7d9419ede5c9 741908 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_amd64.deb 43d6fe0dff983c63a9b3d181ecae5c619cb0a5f0 271932 libsoup-3.0-0_3.2.3-0+deb12u1_amd64.deb c9a7adbdbb3ed24ad9874c06da4177b887a36727 111272 libsoup-3.0-dev_3.2.3-0+deb12u1_amd64.deb 95e9f6b440f4b1456c596a2d6f1d08ce5e021eb3 1464816 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_amd64.deb 501ecfbc10f5a35ccfa89eaf98574d8233722b00 1404396 libsoup-3.0-tests_3.2.3-0+deb12u1_amd64.deb ef3cbcf7a20963fc2c4ae62758e21a4f20484d25 20054 libsoup3_3.2.3-0+deb12u1_amd64-buildd.buildinfo Checksums-Sha256: 268adce6fb398a366a67a4fca5a2ecb85283287f7999e403e29c94d8ff2e5c93 27592 gir1.2-soup-3.0_3.2.3-0+deb12u1_amd64.deb e57a0f9127c5a44d79ca488254f4081c1e3e1218e2c19bf81761fe0cc16e066a 741908 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_amd64.deb 9fd86d0756584737c764ef34254efef2926bccf5fd3382bd8c7959343351c27e 271932 libsoup-3.0-0_3.2.3-0+deb12u1_amd64.deb 6bd83683cdfc6c5e82986ac07d4499cac0cd2b53609f433963bedb08f1dc148c 111272 libsoup-3.0-dev_3.2.3-0+deb12u1_amd64.deb 16308018a02069eeb23e66445cadbc09eabc1fc2198f9f6559173866f3d2baf6 1464816 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_amd64.deb f987bf1b6c938070b84556285c9c992edf3852fd17be8387f68c9e9705f4b25f 1404396 libsoup-3.0-tests_3.2.3-0+deb12u1_amd64.deb 944dbee58290824a0c26a35513de7d851bb8529b1fd00601e551e0ccab0d7d59 20054 libsoup3_3.2.3-0+deb12u1_amd64-buildd.buildinfo Files: b7af38df0b145f3f693e4085c782f0bf 27592 introspection optional gir1.2-soup-3.0_3.2.3-0+deb12u1_amd64.deb 164fc2f0f88c7e6b4e85843c846d8639 741908 debug optional libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_amd64.deb 5abfc28ae5e6c82fe59c60b2a75dd1d5 271932 libs optional libsoup-3.0-0_3.2.3-0+deb12u1_amd64.deb 0dc28df0bae9645e0cc61f00c4307480 111272 libdevel optional libsoup-3.0-dev_3.2.3-0+deb12u1_amd64.deb 297d44c70b7646703457411078ca17ea 1464816 debug optional libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_amd64.deb ec3bb0b08669e4d37c438bb58a1a5b97 1404396 misc optional libsoup-3.0-tests_3.2.3-0+deb12u1_amd64.deb 6a9b50693fb6a28ecdd46453e1ed76cd 20054 devel optional libsoup3_3.2.3-0+deb12u1_amd64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEc5vuvf2HND40bnI+8IREj/cRiTMFAmiomusACgkQ8IREj/cR iTMDHBAAg7dDImZkoDmwhmUM8UpAJumjOKWwLuR9JHQXM49GxBY++twsptEAnrtF wvynb0rOIdP4YwfT11DCtaZ5I3NzCCM8u5nzo+Y+6mccQqNj8rnG/TNkc0iF2E3C EWIIA4+CgvMiyUWXPPR+bKT7L+AcZn7fATpfuBHTsH9DQP4QUlLxTpe81QpE+T1j gEqg9GXAHGcbwRjNnwtAkLUexqTjEp50Q40GwDaN8IgeSzk42JQO8XB5EaiTl7Ar pHhLteKGBWQZrdRloxvyxX0eLshiMvYk8UazvZX9aO7PVLvE/YglsqPujTmndjFP dz1xIQgoechyIAQjMnKsIycnIhHXSKNaRDMfGDYx3HYRb6uGpKVsodXTMdJq0nnL dYvJvOrynldcGiwK98OLWYd04rhkVsp2T+k+A8MamBZQCOk6qxgeF48kTfImid7V mF6O9qUN6TyI3L0UVdHRlRA3ZHjyeMB5wzo/+97M6NN7ugZrexYRUYOzVB1do5yT s5RWNAgUvTUa5W/XHgCFlvOiPvTsaukLBIaS8WoIiX/IQy2xeIU/LgEPmzlZgRSX QBTMfz/VM2W7d7VkAZIqJ91suLk2IfL1gh+N6L4ODoXGRptVswJmGS71q7GHUf43 U+jsUhjxNeCH7ybOWmeipHHY3CXrorOkAKEemoNGfwUun5teD18= =MHpA -----END PGP SIGNATURE-----