-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 12 Jul 2025 14:39:06 +0100 Source: libsoup3 Binary: gir1.2-soup-3.0 libsoup-3.0-0 libsoup-3.0-0-dbgsym libsoup-3.0-dev libsoup-3.0-tests libsoup-3.0-tests-dbgsym Architecture: i386 Version: 3.2.3-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Simon McVittie Description: gir1.2-soup-3.0 - GObject introspection data for the libsoup HTTP library libsoup-3.0-0 - HTTP library implementation in C -- Shared library libsoup-3.0-dev - HTTP library implementation in C -- Development files libsoup-3.0-tests - HTTP library implementation in C -- installed tests Closes: 1052551 1054962 1059773 1064744 1077962 1087416 1087417 1098315 1099119 1100509 1100541 1101922 1102471 1104456 Changes: libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium . * Team upload . [ Jeremy BĂ­cha ] * d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests (Closes: #1064744, #1054962) . [ Simon McVittie ] * Re-export patch series (no functional changes) * New upstream old-stable release 3.2.3 - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is believed that this cannot happen on the client side, but it can happen in SoupServer. (CVE-2024-52531, Closes: #1087417) - Avoid an infinite loop in WebSocket processing which can cause a denial of service via resource exhaustion (CVE-2024-52532, Closes: #1087416) - Fix denial of service (crash) when parsing invalid data URLs (CVE-2025-32051) - Fix heap overflows during content sniffing (CVE-2025-32052, libsoup3 equivalent of #1102214) (CVE-2025-32053, libsoup3 equivalent of #1102215) - Fix an integer overflow during parameter serialization (CVE-2025-32050, libsoup3 equivalent of #1102212) * Fix a regression introduced in 3.2.3 by backporting its fixes from 3.6.5: - d/p/sniffer-Fix-potential-overflow.patch, d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch: Fix more heap buffer overflows during content sniffing (CVE-2025-2784; libsoup3 equivalent of #1102208) - d/source/include-binaries: Configure dpkg to accept non-text diffs in test data for CVE-2025-2784 * d/p/server-Add-note-about-recommended-usage.patch: Update documentation to indicate the level of security support for the server side. Upstream clarified the documentation in 3.6.1 to state that SoupServer is not intended to be exposed to untrusted clients. (Related to CVE-2024-52531, CVE-2024-52532) * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch: Add test coverage related to CVE-2024-52531 * Backport additional CVE fixes from upstream release 3.5.2: - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch: Reject HTTP headers if they contain NUL bytes (CVE-2024-52530, libsoup3 equivalent of #1088812) * Backport additional CVE fixes from upstream release 3.6.2: - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch: Fix denial of service when sniffing type of a short resource (CVE-2025-32909, libsoup3 equivalent of #1103517) - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch, d/p/auth-digest-Handle-missing-nonce.patch, d/p/auth-digest-Fix-leak.patch: Fix denial of service (crash) during client-side authentication (CVE-2025-32910, libsoup3 equivalent of #1103516) - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch, d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch: Fix memory management of message headers. (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515) - d/p/soup_header_parse_quality_list-Fix-leak.patch: Fix a memory leak (slow denial of service) in quality list parsing (CVE-2025-46420, libsoup3 equivalent of #1104055) * Backport additional CVE fixes from upstream release 3.6.5: - d/p/auth-digest-Handle-missing-nonce-1.patch, d/p/digest-auth-Handle-NULL-nonce.patch: Fix additional denial of service issues related to CVE-2025-32910 (CVE-2025-32912, libsoup3 equivalent of #1103516) - d/p/headers-Handle-parsing-edge-case.patch, d/p/headers-Handle-parsing-only-newlines.patch: Fix denial of service (crash) in http server header parsing (CVE-2025-32906, libsoup3 equivalent of #1103521) - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch: Fix credentials disclosure on cross-origin redirect (CVE-2025-46421, libsoup3 equivalent of #110405) * d/control: libsoup-3.0-tests Depends on ca-certificates (Equivalent of #1054962, #1064744 for autopkgtests) * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch: Add patch from upstream fixing a use-after-free during disconnection. In particular this resolves a hang during gnome-calculator startup, when it downloads currency conversion data. (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456, #1100541, #1101922, #1102471, #1059773) * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch: Add patch from upstream fixing another use-after-free during disconnect. (Related to #1077962, etc.) Checksums-Sha1: 512fddf82ca74002aa55bef616e59dffd20b2182 27644 gir1.2-soup-3.0_3.2.3-0+deb12u1_i386.deb 14d24318fd97071b4ee6bdf6ea9b69dec3216ce6 612552 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_i386.deb f8202f2e39d201f2d66724b2d63f89506394f447 290112 libsoup-3.0-0_3.2.3-0+deb12u1_i386.deb 1dfbdb5f662044496ec399dd8a9bb5c1d2b9f724 111264 libsoup-3.0-dev_3.2.3-0+deb12u1_i386.deb 020552411d9301419c456b39559eb88a76b03813 1206024 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_i386.deb 487b87728590874313ad533d6349b81b77b9c1ab 1428440 libsoup-3.0-tests_3.2.3-0+deb12u1_i386.deb 6def69099c637c513e29a751ed2298734d56e727 19942 libsoup3_3.2.3-0+deb12u1_i386-buildd.buildinfo Checksums-Sha256: 4df3b6ce952cf9ac6849260eb8c42c903c5e1865d71407316ca0ad19abd4d0ff 27644 gir1.2-soup-3.0_3.2.3-0+deb12u1_i386.deb 00db12fb5ef98d37337975cf6821020243819df9f300b161a9ca03a3c067c4df 612552 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_i386.deb a564a4a84abde0128b01bfa2a86a6b12edf502b84f0c6b1f1a7231fd272fb519 290112 libsoup-3.0-0_3.2.3-0+deb12u1_i386.deb bff10f27baf1a25aa7ba7659e42e2173eb84b1d0124623c532369a837104b6fa 111264 libsoup-3.0-dev_3.2.3-0+deb12u1_i386.deb de04486294b14ffe181e93651eb883bbaeacab23e277fb18a313af3b6f91d7f7 1206024 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_i386.deb e550319c13cb8757a04bbfd61254d38de99ffd0d93b5b1e05940022ad7e8d405 1428440 libsoup-3.0-tests_3.2.3-0+deb12u1_i386.deb 54c5ba9efcfc74251ca6bbb8ea3713bab21e2e73635e196b21ea75922b6cef73 19942 libsoup3_3.2.3-0+deb12u1_i386-buildd.buildinfo Files: 24bfdd5f61b5f20e6861b379c008ecb0 27644 introspection optional gir1.2-soup-3.0_3.2.3-0+deb12u1_i386.deb 6d4b7d4c53bb9391c1227fc7ed3fd1b7 612552 debug optional libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_i386.deb a8d07e6f1abb162b57780756b75ba0bc 290112 libs optional libsoup-3.0-0_3.2.3-0+deb12u1_i386.deb b68a85404f92742d52d227cbb1c76fb3 111264 libdevel optional libsoup-3.0-dev_3.2.3-0+deb12u1_i386.deb fe0a136c3a2ec130bff5151a719785f2 1206024 debug optional libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_i386.deb 9303a745a3281d7e3956864c92a5f618 1428440 misc optional libsoup-3.0-tests_3.2.3-0+deb12u1_i386.deb 87577983b7349446c840ee5cb27f0a43 19942 devel optional libsoup3_3.2.3-0+deb12u1_i386-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEc5vuvf2HND40bnI+8IREj/cRiTMFAmiomkYACgkQ8IREj/cR iTOlCw/+IKz9zLzlDOF19Vq/akMkxlaEAyJZPgfNZiylbv5W8AYhhtueasTQ6slq 1IgrZMvvRjFlnkrx0MZh4Smlkkp6QZA7iKqJQJKflWy3uOzwbsLgJr9wvOfJF8ul /ctnbpO0kmwlgVyu3Xpp7B48p0Vr535h84smg2VCSz/pP5dyutjtZQt/3uW1mbh+ wp7TzpMx6YtRe/DQJFNcn6mpFzML718SeyXIPukE8ppavacYa04jsIv+9GNWiEJM duAHSuGrSjU88IHWqRs66atV2ulldF/+f/pW8Sk+a72VHbg7sK35a/D9qRcMJ/Ao YgjVWwc5Jy/BcOt3jZYdgvUq880QY03q2u3jdRWEYgkvUfFn8AwF/ielmtoVYomX zEcyyF4NiIv+VViWrDcwxz4S9XSWx6gcmKfrKXr3sUIfbHzit2wIsOUdMfmVy+43 643uinSoTMvP0Uejv2j6Tt5JK1PzzXPMxPCFsgrx+tkb5F8ShlzHcjCRXEl/tvPr VjFlfWtiX1NPI1ayhQx+cVa+VZUq5B2fcQ/TWPhrSksZEHrchKE2dOwQxlOEU2gL 70KPqQ8qFA2/+qmfyGuw1okXhC//kfZrybuEZYLHmdtZOSnUycTWzZpstIFxcnrj NyzherDO1WTb1tIc0m5adEQZ86T54rYD4R7yxR5yw4evwPPbt5c= =1l+v -----END PGP SIGNATURE-----