-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 12 Jul 2025 14:39:06 +0100
Source: libsoup3
Binary: libsoup-3.0-common libsoup-3.0-doc
Architecture: all
Version: 3.2.3-0+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: all Build Daemon (x86-csail-02) <buildd_all-x86-csail-02@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 libsoup-3.0-common - HTTP library implementation in C -- Common files
 libsoup-3.0-doc - HTTP library implementation in C -- API Reference
Closes: 1052551 1054962 1059773 1064744 1077962 1087416 1087417 1098315 1099119 1100509 1100541 1101922 1102471 1104456
Changes:
 libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium
 .
   * Team upload
 .
   [ Jeremy Bícha ]
   * d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests
     (Closes: #1064744, #1054962)
 .
   [ Simon McVittie ]
   * Re-export patch series (no functional changes)
   * New upstream old-stable release 3.2.3
     - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is
       believed that this cannot happen on the client side, but it can
       happen in SoupServer. (CVE-2024-52531, Closes: #1087417)
     - Avoid an infinite loop in WebSocket processing which can cause a denial
       of service via resource exhaustion (CVE-2024-52532, Closes: #1087416)
     - Fix denial of service (crash) when parsing invalid data URLs
       (CVE-2025-32051)
     - Fix heap overflows during content sniffing
       (CVE-2025-32052, libsoup3 equivalent of #1102214)
       (CVE-2025-32053, libsoup3 equivalent of #1102215)
     - Fix an integer overflow during parameter serialization
       (CVE-2025-32050, libsoup3 equivalent of #1102212)
   * Fix a regression introduced in 3.2.3 by backporting its fixes from
     3.6.5:
     - d/p/sniffer-Fix-potential-overflow.patch,
       d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch:
       Fix more heap buffer overflows during content sniffing
       (CVE-2025-2784; libsoup3 equivalent of #1102208)
     - d/source/include-binaries: Configure dpkg to accept non-text diffs
       in test data for CVE-2025-2784
   * d/p/server-Add-note-about-recommended-usage.patch:
     Update documentation to indicate the level of security support for
     the server side.
     Upstream clarified the documentation in 3.6.1 to state that SoupServer
     is not intended to be exposed to untrusted clients.
     (Related to CVE-2024-52531, CVE-2024-52532)
   * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch:
     Add test coverage related to CVE-2024-52531
   * Backport additional CVE fixes from upstream release 3.5.2:
     - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch:
       Reject HTTP headers if they contain NUL bytes
       (CVE-2024-52530, libsoup3 equivalent of #1088812)
   * Backport additional CVE fixes from upstream release 3.6.2:
     - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch:
       Fix denial of service when sniffing type of a short resource
       (CVE-2025-32909, libsoup3 equivalent of #1103517)
     - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch,
       d/p/auth-digest-Handle-missing-nonce.patch,
       d/p/auth-digest-Fix-leak.patch:
       Fix denial of service (crash) during client-side authentication
       (CVE-2025-32910, libsoup3 equivalent of #1103516)
     - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch,
       d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch:
       Fix memory management of message headers.
       (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515)
     - d/p/soup_header_parse_quality_list-Fix-leak.patch:
       Fix a memory leak (slow denial of service) in quality list parsing
       (CVE-2025-46420, libsoup3 equivalent of #1104055)
   * Backport additional CVE fixes from upstream release 3.6.5:
     - d/p/auth-digest-Handle-missing-nonce-1.patch,
       d/p/digest-auth-Handle-NULL-nonce.patch:
       Fix additional denial of service issues related to CVE-2025-32910
       (CVE-2025-32912, libsoup3 equivalent of #1103516)
     - d/p/headers-Handle-parsing-edge-case.patch,
       d/p/headers-Handle-parsing-only-newlines.patch:
       Fix denial of service (crash) in http server header parsing
       (CVE-2025-32906, libsoup3 equivalent of #1103521)
     - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch:
       Fix credentials disclosure on cross-origin redirect
       (CVE-2025-46421, libsoup3 equivalent of #110405)
   * d/control: libsoup-3.0-tests Depends on ca-certificates
     (Equivalent of #1054962, #1064744 for autopkgtests)
   * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch:
     Add patch from upstream fixing a use-after-free during disconnection.
     In particular this resolves a hang during gnome-calculator startup,
     when it downloads currency conversion data.
     (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456,
     #1100541, #1101922, #1102471, #1059773)
   * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch:
     Add patch from upstream fixing another use-after-free during disconnect.
     (Related to #1077962, etc.)
Checksums-Sha1:
 40d1b8253e586187440d22aa84cda91137f25460 62344 libsoup-3.0-common_3.2.3-0+deb12u1_all.deb
 42cc797471ed68ce6952f2274274a1332874b947 228644 libsoup-3.0-doc_3.2.3-0+deb12u1_all.deb
 e96c1526112d73d0f5ab9af1e639288c78747f82 18808 libsoup3_3.2.3-0+deb12u1_all-buildd.buildinfo
Checksums-Sha256:
 6c443ee9ca0a014688816780e4262cac0328d3c96fa54e1cdab30b3464a2b5ef 62344 libsoup-3.0-common_3.2.3-0+deb12u1_all.deb
 ce0690a2f8b7bdbbbbf9b6df1143d7ce59197716112c5bb5375c2fc24eb9e4cc 228644 libsoup-3.0-doc_3.2.3-0+deb12u1_all.deb
 e8241cfff9116c7c1e1f4d27d21fd3a4e6b9eee63024a95b63ae64f22d37ebb9 18808 libsoup3_3.2.3-0+deb12u1_all-buildd.buildinfo
Files:
 2f165866ff3ec9d33121da0de39b61da 62344 devel optional libsoup-3.0-common_3.2.3-0+deb12u1_all.deb
 c3733419b9379be3b696747b113af476 228644 doc optional libsoup-3.0-doc_3.2.3-0+deb12u1_all.deb
 9dddd31c59f56130a1fadb633202b70a 18808 devel optional libsoup3_3.2.3-0+deb12u1_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELusn8jY95Sf7obGlx30Wh8LXl/YFAmiom+UACgkQx30Wh8LX
l/bYnBAAhOKWeX6AVj9IqA9cb7NHv/4ZXAqemd87ctNNET35MJ+hgIVFSnKkFR6k
06RrL4a3Kt1ovuAgC5vriG2AVObf3PlXjcAJRVBuONa1yKS/HR8GKIbBuD9SJfAY
pX+JVdz7ziaFtFSeVuCTUGVbbS2Xfkyp5T36jv4a0yMsifI+c8eo79YRqAgSUqcH
vxZ2TRzd2hJ/1bkGSeRQW8BRuMFnvBaSNa/3i8s2OTSw7LhVnn3gZC0TrH99KyKi
JGsT0mhiyXhHve8altM4JHmkFRx6fpXLE7wj8rTZx3VECpt1jfwFcbbR0+zxEoqY
sv5VUS9/SV+0LSgQ+o+qyIzxC2WVSBw/0MwdIMQrOvk98SS9pLrLXX+IFtALjxN7
uD6wrWv9MEObI1nZCaAkdq0KVZqH04VpkCVr5cqRTUfBThf0LxKe3bno71yXt4kM
hVR/As84J9+MXZNOrTQLXNLcBNzkoRSjl69fu7b+F7Kqn50WcryMSP7os/F/kKIy
bYZk1Tx4MfrLLJe2RyFth7t074a6TFyoT931rEhSKUh5NRGkmRynw6dx8E3zSnFz
DaMwOEeSqfFaBNK7MYtQQsB26WClkcWT0/cVy6woqSr9RxZStyHXJqx7yXXw/uoz
hDyKgK+HpNHzVOlJnUX0bCQXtoSPds2zEPTKOTuhh4OpzE8hFrc=
=yJII
-----END PGP SIGNATURE-----