-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 12 Jul 2025 14:39:06 +0100 Source: libsoup3 Binary: gir1.2-soup-3.0 libsoup-3.0-0 libsoup-3.0-0-dbgsym libsoup-3.0-dev libsoup-3.0-tests libsoup-3.0-tests-dbgsym Architecture: mips64el Version: 3.2.3-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: mipsel Build Daemon (mipsel-osuosl-03) Changed-By: Simon McVittie Description: gir1.2-soup-3.0 - GObject introspection data for the libsoup HTTP library libsoup-3.0-0 - HTTP library implementation in C -- Shared library libsoup-3.0-dev - HTTP library implementation in C -- Development files libsoup-3.0-tests - HTTP library implementation in C -- installed tests Closes: 1052551 1054962 1059773 1064744 1077962 1087416 1087417 1098315 1099119 1100509 1100541 1101922 1102471 1104456 Changes: libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium . * Team upload . [ Jeremy BĂ­cha ] * d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests (Closes: #1064744, #1054962) . [ Simon McVittie ] * Re-export patch series (no functional changes) * New upstream old-stable release 3.2.3 - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is believed that this cannot happen on the client side, but it can happen in SoupServer. (CVE-2024-52531, Closes: #1087417) - Avoid an infinite loop in WebSocket processing which can cause a denial of service via resource exhaustion (CVE-2024-52532, Closes: #1087416) - Fix denial of service (crash) when parsing invalid data URLs (CVE-2025-32051) - Fix heap overflows during content sniffing (CVE-2025-32052, libsoup3 equivalent of #1102214) (CVE-2025-32053, libsoup3 equivalent of #1102215) - Fix an integer overflow during parameter serialization (CVE-2025-32050, libsoup3 equivalent of #1102212) * Fix a regression introduced in 3.2.3 by backporting its fixes from 3.6.5: - d/p/sniffer-Fix-potential-overflow.patch, d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch: Fix more heap buffer overflows during content sniffing (CVE-2025-2784; libsoup3 equivalent of #1102208) - d/source/include-binaries: Configure dpkg to accept non-text diffs in test data for CVE-2025-2784 * d/p/server-Add-note-about-recommended-usage.patch: Update documentation to indicate the level of security support for the server side. Upstream clarified the documentation in 3.6.1 to state that SoupServer is not intended to be exposed to untrusted clients. (Related to CVE-2024-52531, CVE-2024-52532) * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch: Add test coverage related to CVE-2024-52531 * Backport additional CVE fixes from upstream release 3.5.2: - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch: Reject HTTP headers if they contain NUL bytes (CVE-2024-52530, libsoup3 equivalent of #1088812) * Backport additional CVE fixes from upstream release 3.6.2: - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch: Fix denial of service when sniffing type of a short resource (CVE-2025-32909, libsoup3 equivalent of #1103517) - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch, d/p/auth-digest-Handle-missing-nonce.patch, d/p/auth-digest-Fix-leak.patch: Fix denial of service (crash) during client-side authentication (CVE-2025-32910, libsoup3 equivalent of #1103516) - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch, d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch: Fix memory management of message headers. (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515) - d/p/soup_header_parse_quality_list-Fix-leak.patch: Fix a memory leak (slow denial of service) in quality list parsing (CVE-2025-46420, libsoup3 equivalent of #1104055) * Backport additional CVE fixes from upstream release 3.6.5: - d/p/auth-digest-Handle-missing-nonce-1.patch, d/p/digest-auth-Handle-NULL-nonce.patch: Fix additional denial of service issues related to CVE-2025-32910 (CVE-2025-32912, libsoup3 equivalent of #1103516) - d/p/headers-Handle-parsing-edge-case.patch, d/p/headers-Handle-parsing-only-newlines.patch: Fix denial of service (crash) in http server header parsing (CVE-2025-32906, libsoup3 equivalent of #1103521) - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch: Fix credentials disclosure on cross-origin redirect (CVE-2025-46421, libsoup3 equivalent of #110405) * d/control: libsoup-3.0-tests Depends on ca-certificates (Equivalent of #1054962, #1064744 for autopkgtests) * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch: Add patch from upstream fixing a use-after-free during disconnection. In particular this resolves a hang during gnome-calculator startup, when it downloads currency conversion data. (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456, #1100541, #1101922, #1102471, #1059773) * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch: Add patch from upstream fixing another use-after-free during disconnect. (Related to #1077962, etc.) Checksums-Sha1: 914af8ceae42f003f1bdbe68d950c48aa17cb6f3 27620 gir1.2-soup-3.0_3.2.3-0+deb12u1_mips64el.deb 5c03674dac87b81125692daa86acff2a16ce2eaf 784116 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_mips64el.deb 82d58bc252995e49fc48931f2cb1d5488725c8d7 231184 libsoup-3.0-0_3.2.3-0+deb12u1_mips64el.deb 7f7b2d79cb454311000521713d0406482009b4bc 111300 libsoup-3.0-dev_3.2.3-0+deb12u1_mips64el.deb f4fbf2017c2beb67b24fd698a94feb19d74e1aa8 1490984 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_mips64el.deb b200c8a84d0d58668949564496a9511a2a807e83 1329536 libsoup-3.0-tests_3.2.3-0+deb12u1_mips64el.deb 6863f508191cf65fb57b9444d5d40c1f84523ea5 19834 libsoup3_3.2.3-0+deb12u1_mips64el-buildd.buildinfo Checksums-Sha256: 276dd863c954a19da686651b18cc08688b107cae760d8f0f5856f0205c993035 27620 gir1.2-soup-3.0_3.2.3-0+deb12u1_mips64el.deb 3d969dcd90da0d198c9eb01344c725aa9858a25286868b4598ed0a54c283125d 784116 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_mips64el.deb 7a575664f9ea3f60cf52e7e72ff841081a8210817862284ac30b20a7209e3296 231184 libsoup-3.0-0_3.2.3-0+deb12u1_mips64el.deb f9c69b5d800aff49bfbccb2eb40694cced376df7550aeb0d776267aeb09d0b2a 111300 libsoup-3.0-dev_3.2.3-0+deb12u1_mips64el.deb 308901be50b92a7b070497e057a933053b6d0493b4dbd98a060aa41808578742 1490984 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_mips64el.deb e2bdf98602361ef070a091b96f35cf407d5ba2d8175d128b6895f0f875d16df0 1329536 libsoup-3.0-tests_3.2.3-0+deb12u1_mips64el.deb d06e01f51d03f98ac9ab89f2c752b4217adc1a2d1d3983582d7aaff91dc7eeea 19834 libsoup3_3.2.3-0+deb12u1_mips64el-buildd.buildinfo Files: cdfba0e3391b29a7f400987ff1836d5b 27620 introspection optional gir1.2-soup-3.0_3.2.3-0+deb12u1_mips64el.deb e5186bd54dafbe9ad05ae78163e3ea68 784116 debug optional libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_mips64el.deb af91b5e9442e3eaa383cb708040922cf 231184 libs optional libsoup-3.0-0_3.2.3-0+deb12u1_mips64el.deb 1f57f55ce257b28716cb842678880681 111300 libdevel optional libsoup-3.0-dev_3.2.3-0+deb12u1_mips64el.deb 57bb479770f9166aa7c6aa13df71925f 1490984 debug optional libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_mips64el.deb 894d095c1ef8a6f88bb45f3f88f09b01 1329536 misc optional libsoup-3.0-tests_3.2.3-0+deb12u1_mips64el.deb f766bd489ba1ddef9580f608102e84ef 19834 devel optional libsoup3_3.2.3-0+deb12u1_mips64el-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEesE3YcWKZXIkRPMemf85J+x5/aoFAmiou/YACgkQmf85J+x5 /arT9A/8CMDNLUOFXrSrTRdbp5/Jxo7TBSpDIEoTYHo6HimOvUDjESIOegeaP/f+ 8LVlph2b2ujOA7RvFb6M1ROX7kiC1Q1iYcig+K9t9Ruxcv3nln89FURbuKo30nkB 8GyzLC+Qzw1im6tyBquU3a7IXNvtD0W1ek2me592Ykg1tWMFtR7DN0ajCM7+ghTn rSFUSZV8MVh7T8S3D1Bg1P03+J4vmxKLnKm270SheyvdT5F9n5qWLh8ry9HZsZMo Ne5MqRBCPkeKdSX6+y6GYSmf+iJw4cu6S90TH3/nzjdy3bcQtaL3rKyGzZwmTVDk uiwwDyYwtTXoBoIoGKiMtfFtyICDXkbBCVY3Vcgd4Lk9yAg5PXDbJtTo6H7YXR+L LRRpPzIQPUQBmnewoT8l+aKb2F6r1YAavd5Az9GcNZuxvsXopRquF8qq10qlXrPW Sjf2QaJIjf+8FxYv0fMe6AUatzblFRmoM1A30Pu/+LXfU0z4cfgR/3Sb+74Xkd+0 nBFfuB7oxO+9J/bki0kRw2cA8ffGkWpgW2J80a6q30Vis5bul97rkSL+Y0i2sjd2 RQ9lCaUlz1MBaCUwN2cfOJfs5bdpbWKNR74pKbCdoU46gveyL6XyXWd6Vo59dOiO ESX5HHED5a0pEaWU/Og1AqyaK6I5z/NsEJ4JnyymcXnA6Usp7lk= =1w8q -----END PGP SIGNATURE-----