-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 12 Jul 2025 14:39:06 +0100 Source: libsoup3 Binary: gir1.2-soup-3.0 libsoup-3.0-0 libsoup-3.0-0-dbgsym libsoup-3.0-dev libsoup-3.0-tests libsoup-3.0-tests-dbgsym Architecture: armhf Version: 3.2.3-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: arm Build Daemon (arm-conova-04) Changed-By: Simon McVittie Description: gir1.2-soup-3.0 - GObject introspection data for the libsoup HTTP library libsoup-3.0-0 - HTTP library implementation in C -- Shared library libsoup-3.0-dev - HTTP library implementation in C -- Development files libsoup-3.0-tests - HTTP library implementation in C -- installed tests Closes: 1052551 1054962 1059773 1064744 1077962 1087416 1087417 1098315 1099119 1100509 1100541 1101922 1102471 1104456 Changes: libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium . * Team upload . [ Jeremy BĂ­cha ] * d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests (Closes: #1064744, #1054962) . [ Simon McVittie ] * Re-export patch series (no functional changes) * New upstream old-stable release 3.2.3 - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is believed that this cannot happen on the client side, but it can happen in SoupServer. (CVE-2024-52531, Closes: #1087417) - Avoid an infinite loop in WebSocket processing which can cause a denial of service via resource exhaustion (CVE-2024-52532, Closes: #1087416) - Fix denial of service (crash) when parsing invalid data URLs (CVE-2025-32051) - Fix heap overflows during content sniffing (CVE-2025-32052, libsoup3 equivalent of #1102214) (CVE-2025-32053, libsoup3 equivalent of #1102215) - Fix an integer overflow during parameter serialization (CVE-2025-32050, libsoup3 equivalent of #1102212) * Fix a regression introduced in 3.2.3 by backporting its fixes from 3.6.5: - d/p/sniffer-Fix-potential-overflow.patch, d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch: Fix more heap buffer overflows during content sniffing (CVE-2025-2784; libsoup3 equivalent of #1102208) - d/source/include-binaries: Configure dpkg to accept non-text diffs in test data for CVE-2025-2784 * d/p/server-Add-note-about-recommended-usage.patch: Update documentation to indicate the level of security support for the server side. Upstream clarified the documentation in 3.6.1 to state that SoupServer is not intended to be exposed to untrusted clients. (Related to CVE-2024-52531, CVE-2024-52532) * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch: Add test coverage related to CVE-2024-52531 * Backport additional CVE fixes from upstream release 3.5.2: - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch: Reject HTTP headers if they contain NUL bytes (CVE-2024-52530, libsoup3 equivalent of #1088812) * Backport additional CVE fixes from upstream release 3.6.2: - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch: Fix denial of service when sniffing type of a short resource (CVE-2025-32909, libsoup3 equivalent of #1103517) - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch, d/p/auth-digest-Handle-missing-nonce.patch, d/p/auth-digest-Fix-leak.patch: Fix denial of service (crash) during client-side authentication (CVE-2025-32910, libsoup3 equivalent of #1103516) - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch, d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch: Fix memory management of message headers. (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515) - d/p/soup_header_parse_quality_list-Fix-leak.patch: Fix a memory leak (slow denial of service) in quality list parsing (CVE-2025-46420, libsoup3 equivalent of #1104055) * Backport additional CVE fixes from upstream release 3.6.5: - d/p/auth-digest-Handle-missing-nonce-1.patch, d/p/digest-auth-Handle-NULL-nonce.patch: Fix additional denial of service issues related to CVE-2025-32910 (CVE-2025-32912, libsoup3 equivalent of #1103516) - d/p/headers-Handle-parsing-edge-case.patch, d/p/headers-Handle-parsing-only-newlines.patch: Fix denial of service (crash) in http server header parsing (CVE-2025-32906, libsoup3 equivalent of #1103521) - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch: Fix credentials disclosure on cross-origin redirect (CVE-2025-46421, libsoup3 equivalent of #110405) * d/control: libsoup-3.0-tests Depends on ca-certificates (Equivalent of #1054962, #1064744 for autopkgtests) * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch: Add patch from upstream fixing a use-after-free during disconnection. In particular this resolves a hang during gnome-calculator startup, when it downloads currency conversion data. (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456, #1100541, #1101922, #1102471, #1059773) * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch: Add patch from upstream fixing another use-after-free during disconnect. (Related to #1077962, etc.) Checksums-Sha1: 3a3e9a33c6de2c6e56b06c55e996312a867d7b27 27608 gir1.2-soup-3.0_3.2.3-0+deb12u1_armhf.deb 5be60ef9e77a4f304e0d9b196ceada2cb683eed5 735788 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_armhf.deb 74e92d26e25d23204d0bff77b62c30142505e21f 238540 libsoup-3.0-0_3.2.3-0+deb12u1_armhf.deb abaa56beb382ff7bf8899cb6e6935c77aa35765e 111280 libsoup-3.0-dev_3.2.3-0+deb12u1_armhf.deb 2136a2ddb06427bb43c377f79943f1a0444a46d2 1391776 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_armhf.deb fc81facc201f3566c49493ece7cd315de6d4c3e1 1354644 libsoup-3.0-tests_3.2.3-0+deb12u1_armhf.deb 1dbdc5631978ba92f04ea13bd6e723c89e7f1f5f 19813 libsoup3_3.2.3-0+deb12u1_armhf-buildd.buildinfo Checksums-Sha256: ceb2f617a53bde5c31d2abeff0b2733b86981eb7136b58f4423f8d1214bee246 27608 gir1.2-soup-3.0_3.2.3-0+deb12u1_armhf.deb 16f39b25a6c53395e10f3187ebf8c68c0ffe0d82225f7e219070d25be4186e9a 735788 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_armhf.deb 6d34786160c90688593f987e4baa6ac9a62de0ce2b85029b16bc8e4fb73c7770 238540 libsoup-3.0-0_3.2.3-0+deb12u1_armhf.deb cd6744e397860225546436bebe7a8600666d6fdae833b79cce7d2a84567e70ff 111280 libsoup-3.0-dev_3.2.3-0+deb12u1_armhf.deb c3ad0b7e657b61b3df3fa4ac267d8917c420034219b61c311e7d1ccaae498a38 1391776 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_armhf.deb d221f5247555bb4dff9a4df748e9e180af07be5ed9ead5c731896ca29b3372fd 1354644 libsoup-3.0-tests_3.2.3-0+deb12u1_armhf.deb adfd3c498775b26e82fb89a03f73058dcb036f4916c461d7a41762a3c1359e4b 19813 libsoup3_3.2.3-0+deb12u1_armhf-buildd.buildinfo Files: 5ca6d0068a841cace31c1503544b02a6 27608 introspection optional gir1.2-soup-3.0_3.2.3-0+deb12u1_armhf.deb 5dd7da05a037d86b837fa274109a57a5 735788 debug optional libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_armhf.deb 532184c13d3cb68514abd6c14040a08a 238540 libs optional libsoup-3.0-0_3.2.3-0+deb12u1_armhf.deb 2178b3b4c268c704c73250eb23dfaea5 111280 libdevel optional libsoup-3.0-dev_3.2.3-0+deb12u1_armhf.deb 196661cf731daa60d5a1ef8cd5f4c966 1391776 debug optional libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_armhf.deb eed4d09328a9c7f838fbf34779747438 1354644 misc optional libsoup-3.0-tests_3.2.3-0+deb12u1_armhf.deb 81059284ec794afb98f3a240653a3ec0 19813 devel optional libsoup3_3.2.3-0+deb12u1_armhf-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvEwFZ4bqkVI+Rh6t+N4VxR6LZYEFAmiopM4ACgkQ+N4VxR6L ZYEhFBAAiHx62f9AXxSIe8HLlHk79Kbv42ImkPJWuAPCyCGrELs0+cuDmvO9eqpZ qNL7L+uhFaODM37wQa5PpE34Xb+omj3TzJTTDu0ZDVWvFIFDZcVJAlQ4HhsViMNJ gXZhdKmngv9StlcdcLiu9oyCt7UTbDxe1Sl2xwxaLKUt3IRBdqc43U7N/Sd9nNZh xpR0TtT3sxkymIyMPQP2FcAm89Q0oimvBHH2gki2aj2x2FBvwBIKsI3vP8iyPNBL DWNLBhwPTT6yWhJXD0hBU0FGLomVYxlpIIj7RDCwleQJ0hYDzF7Hy+Ch310dlTc/ 5eoiTS7RRTn5PC3ehOmBH9yaU2ws5q1gHqfcz4zV9RG6IMrnjOkbTFS78kIcpzr7 LNNlYUJMXdbI1nrs3q85qqf/djThJAyi/vCtrBhTsiQDjtuN8tDUICGDhIabJmcj ZI0igHyZquw5/Hb3f3VBuC0+QFo4hKmixriONaRNgG3ofhtaEZKAaH8z4w4yXXJq LaaP3f6aC7rmWswo6BJLo1HV/xyXJOG7vzrm/pkUqdeyKg1BFyAdGjJs4hz8QKuf r6G2zSTl9Rcku3yYZKiTQb6jZHbxaf7Mr6FsUfL3wwppPVEM1auXlXj4VatCTreS qGdKVNi6aogNX4dgUUyB6SgzjiO6m/76bMo4U2k7jcfzr3hI+UE= =E/kW -----END PGP SIGNATURE-----