-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 12 Jul 2025 14:39:06 +0100 Source: libsoup3 Binary: gir1.2-soup-3.0 libsoup-3.0-0 libsoup-3.0-0-dbgsym libsoup-3.0-dev libsoup-3.0-tests libsoup-3.0-tests-dbgsym Architecture: arm64 Version: 3.2.3-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: arm Build Daemon (arm-conova-04) Changed-By: Simon McVittie Description: gir1.2-soup-3.0 - GObject introspection data for the libsoup HTTP library libsoup-3.0-0 - HTTP library implementation in C -- Shared library libsoup-3.0-dev - HTTP library implementation in C -- Development files libsoup-3.0-tests - HTTP library implementation in C -- installed tests Closes: 1052551 1054962 1059773 1064744 1077962 1087416 1087417 1098315 1099119 1100509 1100541 1101922 1102471 1104456 Changes: libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium . * Team upload . [ Jeremy BĂ­cha ] * d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests (Closes: #1064744, #1054962) . [ Simon McVittie ] * Re-export patch series (no functional changes) * New upstream old-stable release 3.2.3 - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is believed that this cannot happen on the client side, but it can happen in SoupServer. (CVE-2024-52531, Closes: #1087417) - Avoid an infinite loop in WebSocket processing which can cause a denial of service via resource exhaustion (CVE-2024-52532, Closes: #1087416) - Fix denial of service (crash) when parsing invalid data URLs (CVE-2025-32051) - Fix heap overflows during content sniffing (CVE-2025-32052, libsoup3 equivalent of #1102214) (CVE-2025-32053, libsoup3 equivalent of #1102215) - Fix an integer overflow during parameter serialization (CVE-2025-32050, libsoup3 equivalent of #1102212) * Fix a regression introduced in 3.2.3 by backporting its fixes from 3.6.5: - d/p/sniffer-Fix-potential-overflow.patch, d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch: Fix more heap buffer overflows during content sniffing (CVE-2025-2784; libsoup3 equivalent of #1102208) - d/source/include-binaries: Configure dpkg to accept non-text diffs in test data for CVE-2025-2784 * d/p/server-Add-note-about-recommended-usage.patch: Update documentation to indicate the level of security support for the server side. Upstream clarified the documentation in 3.6.1 to state that SoupServer is not intended to be exposed to untrusted clients. (Related to CVE-2024-52531, CVE-2024-52532) * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch: Add test coverage related to CVE-2024-52531 * Backport additional CVE fixes from upstream release 3.5.2: - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch: Reject HTTP headers if they contain NUL bytes (CVE-2024-52530, libsoup3 equivalent of #1088812) * Backport additional CVE fixes from upstream release 3.6.2: - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch: Fix denial of service when sniffing type of a short resource (CVE-2025-32909, libsoup3 equivalent of #1103517) - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch, d/p/auth-digest-Handle-missing-nonce.patch, d/p/auth-digest-Fix-leak.patch: Fix denial of service (crash) during client-side authentication (CVE-2025-32910, libsoup3 equivalent of #1103516) - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch, d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch: Fix memory management of message headers. (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515) - d/p/soup_header_parse_quality_list-Fix-leak.patch: Fix a memory leak (slow denial of service) in quality list parsing (CVE-2025-46420, libsoup3 equivalent of #1104055) * Backport additional CVE fixes from upstream release 3.6.5: - d/p/auth-digest-Handle-missing-nonce-1.patch, d/p/digest-auth-Handle-NULL-nonce.patch: Fix additional denial of service issues related to CVE-2025-32910 (CVE-2025-32912, libsoup3 equivalent of #1103516) - d/p/headers-Handle-parsing-edge-case.patch, d/p/headers-Handle-parsing-only-newlines.patch: Fix denial of service (crash) in http server header parsing (CVE-2025-32906, libsoup3 equivalent of #1103521) - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch: Fix credentials disclosure on cross-origin redirect (CVE-2025-46421, libsoup3 equivalent of #110405) * d/control: libsoup-3.0-tests Depends on ca-certificates (Equivalent of #1054962, #1064744 for autopkgtests) * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch: Add patch from upstream fixing a use-after-free during disconnection. In particular this resolves a hang during gnome-calculator startup, when it downloads currency conversion data. (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456, #1100541, #1101922, #1102471, #1059773) * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch: Add patch from upstream fixing another use-after-free during disconnect. (Related to #1077962, etc.) Checksums-Sha1: adeae2f85688eeae8bc45a515cf66d049a8a1297 27628 gir1.2-soup-3.0_3.2.3-0+deb12u1_arm64.deb dac42ba234a636aab4ae474c5255afc48383804e 740596 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_arm64.deb 1587c169a024d76d4ad818d384c7fdc216cb7820 255016 libsoup-3.0-0_3.2.3-0+deb12u1_arm64.deb f8e94febe53bd1bfca4ff4971e936101460ea68d 111288 libsoup-3.0-dev_3.2.3-0+deb12u1_arm64.deb 09c115f85881292742e36a2698db602869617d7f 1466068 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_arm64.deb 892663090bb1fba9ed725bab9437351a4b517875 1364528 libsoup-3.0-tests_3.2.3-0+deb12u1_arm64.deb 4001d3c2131cae8c1647670d4837d219e416d8e5 19993 libsoup3_3.2.3-0+deb12u1_arm64-buildd.buildinfo Checksums-Sha256: b4eb3e351693fd089805d347a5235f073624bff6981b7b134902b5c43419e616 27628 gir1.2-soup-3.0_3.2.3-0+deb12u1_arm64.deb 35f206890f3b680a4790d19d073d593fc2cf14eaf1ea0146555b2ab984c7ea9c 740596 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_arm64.deb 3d878dc3fe238ea854089650a46d10266fc96e8e13d19b3327a2534a10cbe074 255016 libsoup-3.0-0_3.2.3-0+deb12u1_arm64.deb 43ac060f948bf629033f2fe993ff2564072dfbb4f4d88a6405af6c403f912204 111288 libsoup-3.0-dev_3.2.3-0+deb12u1_arm64.deb 18e3d7859f116136ee983d07dc4269d48fa29b90ee6db3b69347926faf7e04a8 1466068 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_arm64.deb 082cb69879524997e4b1e8dd1c5bd1cb4e9982f287f3f98adbb3d7920a62c5f0 1364528 libsoup-3.0-tests_3.2.3-0+deb12u1_arm64.deb 48abf85e5e8ded94ab7d68fde021d8e0fda6d1a73d0c3307b06ba86cb2fff0dc 19993 libsoup3_3.2.3-0+deb12u1_arm64-buildd.buildinfo Files: 6918e2ac02deebba672e64c1ce00ed08 27628 introspection optional gir1.2-soup-3.0_3.2.3-0+deb12u1_arm64.deb e93840ac85f09c89966a8c5410d11eef 740596 debug optional libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_arm64.deb ee36f6bf3ca79770dfc1154624dae27b 255016 libs optional libsoup-3.0-0_3.2.3-0+deb12u1_arm64.deb 3cd08e8becbdb552ef7c63590750d4f6 111288 libdevel optional libsoup-3.0-dev_3.2.3-0+deb12u1_arm64.deb ba2d25db294233dd451ac4283527caf6 1466068 debug optional libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_arm64.deb cbca4ef1209f6742298402a7883fc1d9 1364528 misc optional libsoup-3.0-tests_3.2.3-0+deb12u1_arm64.deb 1962a0db738ff79912620e0d91985489 19993 devel optional libsoup3_3.2.3-0+deb12u1_arm64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvEwFZ4bqkVI+Rh6t+N4VxR6LZYEFAmiombsACgkQ+N4VxR6L ZYGYng/8DWYss3wpK4XOT70RGHUM3Nb9qtPAjowXKnYdE1z7R7Z5gEJES39/8X51 ghxPhpzrRSfgraQAjy92Us4LBzs5NZU+qfl+RpupqTT5X+G8MxwMtvERCY1ObmFu VkyDkFff/ZrbBp24Ow5mhqIqOXZhAb9mfwdvmoZYOKK6vx9OJzhZlgfer7wFRpNt 9wZ5MWODU/l1vL8osMXqAxGQ2BlrkYPJrCa+MZyr+XObaYD3kS+pjwsa1zwGNCNy mBMKsTOXlF79kMwDqbPIMwYrMcmVFl6mAhSE6AXR+vYVOMitmoNGPQnNWxozID9H 0TNGHFd0LrBI3R7z6aosS9jWzOwO0bifEQCBMX5gE2tvKzrCTZPL/4+pqlBL06FR 3IbZHjDhS8sFoW19UY5KxayTQDCFFOnfz2HE/Nq7WXKj/GdhadSZPSqET1IvnsHi Drz2WzohQLAwvsaktKwHxEhfjU25stByP4cKZ1/G7IrtIRkrZLtpmx4uRMdrOFUf r99f92FVvXh0SrlPLe9R9eFtuleD+kOLW08LSzWOF04yRsgV6rEGowIDm8ppmrej 2wpWiw5TFleLvj5R9lMdGEqKeWbafmTf6VTE42zAVeLtpI+PzAG4Q5+8GYhRziHB Sn8ts0zRk3UArHf52zdUDG1uxP3nwQ6juCccJ2otEU7h0mbVwKo= =Z5pr -----END PGP SIGNATURE-----