-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 12 Jul 2025 14:39:06 +0100 Source: libsoup3 Binary: gir1.2-soup-3.0 libsoup-3.0-0 libsoup-3.0-0-dbgsym libsoup-3.0-dev libsoup-3.0-tests libsoup-3.0-tests-dbgsym Architecture: armel Version: 3.2.3-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: arm Build Daemon (arm-conova-04) Changed-By: Simon McVittie Description: gir1.2-soup-3.0 - GObject introspection data for the libsoup HTTP library libsoup-3.0-0 - HTTP library implementation in C -- Shared library libsoup-3.0-dev - HTTP library implementation in C -- Development files libsoup-3.0-tests - HTTP library implementation in C -- installed tests Closes: 1052551 1054962 1059773 1064744 1077962 1087416 1087417 1098315 1099119 1100509 1100541 1101922 1102471 1104456 Changes: libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium . * Team upload . [ Jeremy BĂ­cha ] * d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests (Closes: #1064744, #1054962) . [ Simon McVittie ] * Re-export patch series (no functional changes) * New upstream old-stable release 3.2.3 - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is believed that this cannot happen on the client side, but it can happen in SoupServer. (CVE-2024-52531, Closes: #1087417) - Avoid an infinite loop in WebSocket processing which can cause a denial of service via resource exhaustion (CVE-2024-52532, Closes: #1087416) - Fix denial of service (crash) when parsing invalid data URLs (CVE-2025-32051) - Fix heap overflows during content sniffing (CVE-2025-32052, libsoup3 equivalent of #1102214) (CVE-2025-32053, libsoup3 equivalent of #1102215) - Fix an integer overflow during parameter serialization (CVE-2025-32050, libsoup3 equivalent of #1102212) * Fix a regression introduced in 3.2.3 by backporting its fixes from 3.6.5: - d/p/sniffer-Fix-potential-overflow.patch, d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch: Fix more heap buffer overflows during content sniffing (CVE-2025-2784; libsoup3 equivalent of #1102208) - d/source/include-binaries: Configure dpkg to accept non-text diffs in test data for CVE-2025-2784 * d/p/server-Add-note-about-recommended-usage.patch: Update documentation to indicate the level of security support for the server side. Upstream clarified the documentation in 3.6.1 to state that SoupServer is not intended to be exposed to untrusted clients. (Related to CVE-2024-52531, CVE-2024-52532) * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch: Add test coverage related to CVE-2024-52531 * Backport additional CVE fixes from upstream release 3.5.2: - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch: Reject HTTP headers if they contain NUL bytes (CVE-2024-52530, libsoup3 equivalent of #1088812) * Backport additional CVE fixes from upstream release 3.6.2: - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch: Fix denial of service when sniffing type of a short resource (CVE-2025-32909, libsoup3 equivalent of #1103517) - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch, d/p/auth-digest-Handle-missing-nonce.patch, d/p/auth-digest-Fix-leak.patch: Fix denial of service (crash) during client-side authentication (CVE-2025-32910, libsoup3 equivalent of #1103516) - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch, d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch: Fix memory management of message headers. (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515) - d/p/soup_header_parse_quality_list-Fix-leak.patch: Fix a memory leak (slow denial of service) in quality list parsing (CVE-2025-46420, libsoup3 equivalent of #1104055) * Backport additional CVE fixes from upstream release 3.6.5: - d/p/auth-digest-Handle-missing-nonce-1.patch, d/p/digest-auth-Handle-NULL-nonce.patch: Fix additional denial of service issues related to CVE-2025-32910 (CVE-2025-32912, libsoup3 equivalent of #1103516) - d/p/headers-Handle-parsing-edge-case.patch, d/p/headers-Handle-parsing-only-newlines.patch: Fix denial of service (crash) in http server header parsing (CVE-2025-32906, libsoup3 equivalent of #1103521) - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch: Fix credentials disclosure on cross-origin redirect (CVE-2025-46421, libsoup3 equivalent of #110405) * d/control: libsoup-3.0-tests Depends on ca-certificates (Equivalent of #1054962, #1064744 for autopkgtests) * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch: Add patch from upstream fixing a use-after-free during disconnection. In particular this resolves a hang during gnome-calculator startup, when it downloads currency conversion data. (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456, #1100541, #1101922, #1102471, #1059773) * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch: Add patch from upstream fixing another use-after-free during disconnect. (Related to #1077962, etc.) Checksums-Sha1: 0bdc78819b809f1c020ea7e2e120fbf84784235f 27616 gir1.2-soup-3.0_3.2.3-0+deb12u1_armel.deb 90866aa4004da3c1ecf04c5eb41c8b2076b37fac 735244 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_armel.deb 59089aaf6000d54af9bd046124ac9bde8b53f10c 238916 libsoup-3.0-0_3.2.3-0+deb12u1_armel.deb f1a6878fa32217d62aa31041f82ac5882ffc9fcf 111264 libsoup-3.0-dev_3.2.3-0+deb12u1_armel.deb 3fa74c2650f59610b9ab86ca2bcee034c81a122e 1360896 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_armel.deb 5d1c85938bae41bb654061ba53cbc218520361cb 1349368 libsoup-3.0-tests_3.2.3-0+deb12u1_armel.deb 421694dbee636c91c8c87a54f1790a0a85db6b4a 19811 libsoup3_3.2.3-0+deb12u1_armel-buildd.buildinfo Checksums-Sha256: ef7e378e081ee1de4d20e9c5d4750d26f2e2aab9b04f43ac7a416a3b06a61cba 27616 gir1.2-soup-3.0_3.2.3-0+deb12u1_armel.deb 6dbb3cfd4e97c0d9cf5111e51103b9b1c3b312649ca70c619e3dedcfb4bd6e38 735244 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_armel.deb b801602dd63001343186135c618ebce4ebdc7c160f1aea03ecc0265968a45608 238916 libsoup-3.0-0_3.2.3-0+deb12u1_armel.deb 660d52a9905d92a99950189dfda91261c4156380ae00152f15108e973e3ed4e0 111264 libsoup-3.0-dev_3.2.3-0+deb12u1_armel.deb 415a60eaa295844e6792df668f2f8295e137ac88c5a5ca70f37601dec1e7b3e4 1360896 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_armel.deb e434f4ad864870996ff9752ee4d29c2f2a50ad46c93b11e4b781b2c5ef2480da 1349368 libsoup-3.0-tests_3.2.3-0+deb12u1_armel.deb 57c4ccdfdbf2267f48bfcfc1c9464186a41b4e4748aab21da24a6ebd23ae1d28 19811 libsoup3_3.2.3-0+deb12u1_armel-buildd.buildinfo Files: 6baf245ed77984bee7a84b030574d5f8 27616 introspection optional gir1.2-soup-3.0_3.2.3-0+deb12u1_armel.deb 5a81d2688ee23bd8688f678f405bf4f6 735244 debug optional libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_armel.deb f1c383ac73c1d7d11b4b85bce29269af 238916 libs optional libsoup-3.0-0_3.2.3-0+deb12u1_armel.deb a2dcb91e86dffd9d5affa828ef919374 111264 libdevel optional libsoup-3.0-dev_3.2.3-0+deb12u1_armel.deb a9394ae95e2b2a867ea885bf8cf8b472 1360896 debug optional libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_armel.deb cbbaa87d53a80749cc45d2618f860c8a 1349368 misc optional libsoup-3.0-tests_3.2.3-0+deb12u1_armel.deb d77c1062127321987b1ee38404044f7b 19811 devel optional libsoup3_3.2.3-0+deb12u1_armel-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvEwFZ4bqkVI+Rh6t+N4VxR6LZYEFAmiomx8ACgkQ+N4VxR6L ZYEi9g//TRZxSsgEtfRhjesaiy4AoQe55jTT5BILvP0lnvyWCbqSpn/MtkhXXxvC bdgB9kHpk9DqNCDR4Mv7i4487aFccSkxEEiTadG+LqF4zTsMSY6k2oCqQwGFLvxl IkpCno6heB4CdYdhsmrz009rlsnTRhA8RPC3hZzEo9MqLssDrjZakqBLuCVD2C5c C/Z+E4bPpY+rzsTb+XvrvqOSXAW0vE/NExZriaC+b47xEZiL8MK6KWuCYeROlBAT gdOUIO/JaQkP7v1sZsYcqXSiQlSgBrOZw8PoHAJBjmyT7FHmZe1JF4ROMoIAj5jK RCdX9w/V5fF+3nG2YjduDUkf334Cce3vbGXuyrV6mx9z2Z/PDNMpVqp2Jdtw/NXd OtTJCNx/zX3yCnMYIExadeKP0bTHZUiJpAFdD/LeNdY/Byfu4F0kKEOnZg4rj8gU YAphhWsVW1DJL8ixQgBfARGRLdLFjC1ttpkJilhvvpgwL2hviayrhGmf31CgRbpG JsdfOH632qipw/Z5sC+IhB43DnTjFZAahemQRfMQ5vYwbypv42bnbM7pd/Qx9a6I 5HZeVLDHWptlqlWMbXKeYZxJqb3sApgFq2FMKiOpHO3bp6ZE8QESVn9nOglgjNNk b5l6oOaSJxvdnq3tvi1x9aoVEBeKGXoesr/KxBxpmphXkMEZ3Ms= =y6An -----END PGP SIGNATURE-----