-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 12 Jul 2025 14:39:06 +0100 Source: libsoup3 Binary: gir1.2-soup-3.0 libsoup-3.0-0 libsoup-3.0-0-dbgsym libsoup-3.0-dev libsoup-3.0-tests libsoup-3.0-tests-dbgsym Architecture: ppc64el Version: 3.2.3-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: ppc64el Build Daemon (ppc64el-osuosl-01) Changed-By: Simon McVittie Description: gir1.2-soup-3.0 - GObject introspection data for the libsoup HTTP library libsoup-3.0-0 - HTTP library implementation in C -- Shared library libsoup-3.0-dev - HTTP library implementation in C -- Development files libsoup-3.0-tests - HTTP library implementation in C -- installed tests Closes: 1052551 1054962 1059773 1064744 1077962 1087416 1087417 1098315 1099119 1100509 1100541 1101922 1102471 1104456 Changes: libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium . * Team upload . [ Jeremy BĂ­cha ] * d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests (Closes: #1064744, #1054962) . [ Simon McVittie ] * Re-export patch series (no functional changes) * New upstream old-stable release 3.2.3 - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is believed that this cannot happen on the client side, but it can happen in SoupServer. (CVE-2024-52531, Closes: #1087417) - Avoid an infinite loop in WebSocket processing which can cause a denial of service via resource exhaustion (CVE-2024-52532, Closes: #1087416) - Fix denial of service (crash) when parsing invalid data URLs (CVE-2025-32051) - Fix heap overflows during content sniffing (CVE-2025-32052, libsoup3 equivalent of #1102214) (CVE-2025-32053, libsoup3 equivalent of #1102215) - Fix an integer overflow during parameter serialization (CVE-2025-32050, libsoup3 equivalent of #1102212) * Fix a regression introduced in 3.2.3 by backporting its fixes from 3.6.5: - d/p/sniffer-Fix-potential-overflow.patch, d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch: Fix more heap buffer overflows during content sniffing (CVE-2025-2784; libsoup3 equivalent of #1102208) - d/source/include-binaries: Configure dpkg to accept non-text diffs in test data for CVE-2025-2784 * d/p/server-Add-note-about-recommended-usage.patch: Update documentation to indicate the level of security support for the server side. Upstream clarified the documentation in 3.6.1 to state that SoupServer is not intended to be exposed to untrusted clients. (Related to CVE-2024-52531, CVE-2024-52532) * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch: Add test coverage related to CVE-2024-52531 * Backport additional CVE fixes from upstream release 3.5.2: - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch: Reject HTTP headers if they contain NUL bytes (CVE-2024-52530, libsoup3 equivalent of #1088812) * Backport additional CVE fixes from upstream release 3.6.2: - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch: Fix denial of service when sniffing type of a short resource (CVE-2025-32909, libsoup3 equivalent of #1103517) - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch, d/p/auth-digest-Handle-missing-nonce.patch, d/p/auth-digest-Fix-leak.patch: Fix denial of service (crash) during client-side authentication (CVE-2025-32910, libsoup3 equivalent of #1103516) - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch, d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch: Fix memory management of message headers. (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515) - d/p/soup_header_parse_quality_list-Fix-leak.patch: Fix a memory leak (slow denial of service) in quality list parsing (CVE-2025-46420, libsoup3 equivalent of #1104055) * Backport additional CVE fixes from upstream release 3.6.5: - d/p/auth-digest-Handle-missing-nonce-1.patch, d/p/digest-auth-Handle-NULL-nonce.patch: Fix additional denial of service issues related to CVE-2025-32910 (CVE-2025-32912, libsoup3 equivalent of #1103516) - d/p/headers-Handle-parsing-edge-case.patch, d/p/headers-Handle-parsing-only-newlines.patch: Fix denial of service (crash) in http server header parsing (CVE-2025-32906, libsoup3 equivalent of #1103521) - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch: Fix credentials disclosure on cross-origin redirect (CVE-2025-46421, libsoup3 equivalent of #110405) * d/control: libsoup-3.0-tests Depends on ca-certificates (Equivalent of #1054962, #1064744 for autopkgtests) * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch: Add patch from upstream fixing a use-after-free during disconnection. In particular this resolves a hang during gnome-calculator startup, when it downloads currency conversion data. (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456, #1100541, #1101922, #1102471, #1059773) * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch: Add patch from upstream fixing another use-after-free during disconnect. (Related to #1077962, etc.) Checksums-Sha1: ff721b9ca6f8700f15338f3bda244e4d2e3feafd 27600 gir1.2-soup-3.0_3.2.3-0+deb12u1_ppc64el.deb fa268cfd6a75732778c3e4574faa936d899ba901 761048 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_ppc64el.deb 220d06781ef267bc8c4351e73a8b00a8af2f3d0b 284268 libsoup-3.0-0_3.2.3-0+deb12u1_ppc64el.deb 737bfb9c989a1f891fae6670b0bdfd49551a3f3b 111304 libsoup-3.0-dev_3.2.3-0+deb12u1_ppc64el.deb 19d25b01a2a4c49e36dc61c9101b82e540a61eb4 1447888 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_ppc64el.deb 79252e2689ab82c7120ebe1519a9adde6f75ee84 1416412 libsoup-3.0-tests_3.2.3-0+deb12u1_ppc64el.deb f4de9479727375f71fa07de17f17f9097c8e07bc 20030 libsoup3_3.2.3-0+deb12u1_ppc64el-buildd.buildinfo Checksums-Sha256: 84629d0deec273aacdf61472019fbb7fa64ae056dbc5f264cba08e8799189386 27600 gir1.2-soup-3.0_3.2.3-0+deb12u1_ppc64el.deb 40128c486c3afd697fc4c910fef5ccea8cb809819ee3d736fa6b9b0d6508a5dd 761048 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_ppc64el.deb 1f563e52df2d069b5495bd355ef70b0ab3e51a4f6d1e7253285eb6d3cfa18169 284268 libsoup-3.0-0_3.2.3-0+deb12u1_ppc64el.deb 937f2af1a17757e49392b9798deacfcc4bd474588607e7028a3991ab7288564c 111304 libsoup-3.0-dev_3.2.3-0+deb12u1_ppc64el.deb e83f6a65d94083653667a55f7319ea0805310c29dac8f34363cb7dfa35a6754f 1447888 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_ppc64el.deb 96c7eb4a51aa5039d0637903a428e3b17cffbe6ba92549cb186bdf0d945eb1ef 1416412 libsoup-3.0-tests_3.2.3-0+deb12u1_ppc64el.deb 1de673dbad7b44146422ecb7b35963153a501da7d49e259f7a90b207cdc21b81 20030 libsoup3_3.2.3-0+deb12u1_ppc64el-buildd.buildinfo Files: b7d99d41b1f9a210ce85b31500430bf1 27600 introspection optional gir1.2-soup-3.0_3.2.3-0+deb12u1_ppc64el.deb 42f74f16c26b6ddcd356e60a51d23a27 761048 debug optional libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_ppc64el.deb 98d61a173b748d5c80d3f9bbd42aa6c7 284268 libs optional libsoup-3.0-0_3.2.3-0+deb12u1_ppc64el.deb 73c7c295001d3256de7ea239339c3aa7 111304 libdevel optional libsoup-3.0-dev_3.2.3-0+deb12u1_ppc64el.deb c27b04cdd08a7130e8cf9c8bc5151ef0 1447888 debug optional libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_ppc64el.deb b0674c9e2841b91b12824580344ca5df 1416412 misc optional libsoup-3.0-tests_3.2.3-0+deb12u1_ppc64el.deb 88c841362da9e2e767a3b0647fa34b8d 20030 devel optional libsoup3_3.2.3-0+deb12u1_ppc64el-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEGHWM+bJZRznwgySGOrVShFbIMGEFAmiombEACgkQOrVShFbI MGH8Mw/+OGCsnx9fYy5EkAo7xzoCNs3VTqKpn/s/42628WoKqOv3fPX8rnNfqizd U7DZYjWCWlHF8J7p7zO7ZblmponHXRZpqb0E3HJK0Ke5lAD7GnRcQiGzvczeyD3X y/t4ORLCGBjBuN9dWYIMrrvKYwaBufxNQSoZhUGLQSrzxxShkgPC/0nS5o0WKVfQ y4dqUy8/9fqQmgeAt5j7nPOHxYMw5FUMRqVuj2g6R+pX9gcFxxIfA5T8P36tbQ2D eqfhIMGBvBK1o6rT/JBv8GMFsIWwl9Q3Y2eY0KRjPKUWdJmex6VBwtaEn4P56Jyz 7OyUvKpHnpURfYSg13oZ5NMbDTU2tD1DLm61MVLzS6tzLj08ARho/ldGQPQVy0lr zey8X5h5dHUOsOv3+xaC75BLZ0h9BhXeSFa93wGNeKsuDnKXMdyjBcCmUWFq8gHc ESGxWaesmOWmqRPeNS+D0Ly883H/HrEaWeXhm05UTHljpig9X5cSxUPcvrZB1Dn9 97FzeHY9D4a4ecgaDkfl3dCATriX+o08KBnxAD4H+DWBMMtnHM1ZgX9MJubSYmIV OpwQjSyQSV4KZMUeRtRerktmWiTWhoSz1c3sDk98F2MB7mbHe0JRDpEhneu7LJYt Wa2+0GGiY9xLtptp2cFRka/21B4LB4Ly16B7e0m/HRoB4TjdLF8= =LBhD -----END PGP SIGNATURE-----