-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 12 Jul 2025 14:39:06 +0100 Source: libsoup3 Binary: gir1.2-soup-3.0 libsoup-3.0-0 libsoup-3.0-0-dbgsym libsoup-3.0-dev libsoup-3.0-tests libsoup-3.0-tests-dbgsym Architecture: s390x Version: 3.2.3-0+deb12u1 Distribution: bookworm Urgency: medium Maintainer: s390x Build Daemon (zandonai) Changed-By: Simon McVittie Description: gir1.2-soup-3.0 - GObject introspection data for the libsoup HTTP library libsoup-3.0-0 - HTTP library implementation in C -- Shared library libsoup-3.0-dev - HTTP library implementation in C -- Development files libsoup-3.0-tests - HTTP library implementation in C -- installed tests Closes: 1052551 1054962 1059773 1064744 1077962 1087416 1087417 1098315 1099119 1100509 1100541 1101922 1102471 1104456 Changes: libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium . * Team upload . [ Jeremy BĂ­cha ] * d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests (Closes: #1064744, #1054962) . [ Simon McVittie ] * Re-export patch series (no functional changes) * New upstream old-stable release 3.2.3 - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is believed that this cannot happen on the client side, but it can happen in SoupServer. (CVE-2024-52531, Closes: #1087417) - Avoid an infinite loop in WebSocket processing which can cause a denial of service via resource exhaustion (CVE-2024-52532, Closes: #1087416) - Fix denial of service (crash) when parsing invalid data URLs (CVE-2025-32051) - Fix heap overflows during content sniffing (CVE-2025-32052, libsoup3 equivalent of #1102214) (CVE-2025-32053, libsoup3 equivalent of #1102215) - Fix an integer overflow during parameter serialization (CVE-2025-32050, libsoup3 equivalent of #1102212) * Fix a regression introduced in 3.2.3 by backporting its fixes from 3.6.5: - d/p/sniffer-Fix-potential-overflow.patch, d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch: Fix more heap buffer overflows during content sniffing (CVE-2025-2784; libsoup3 equivalent of #1102208) - d/source/include-binaries: Configure dpkg to accept non-text diffs in test data for CVE-2025-2784 * d/p/server-Add-note-about-recommended-usage.patch: Update documentation to indicate the level of security support for the server side. Upstream clarified the documentation in 3.6.1 to state that SoupServer is not intended to be exposed to untrusted clients. (Related to CVE-2024-52531, CVE-2024-52532) * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch: Add test coverage related to CVE-2024-52531 * Backport additional CVE fixes from upstream release 3.5.2: - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch: Reject HTTP headers if they contain NUL bytes (CVE-2024-52530, libsoup3 equivalent of #1088812) * Backport additional CVE fixes from upstream release 3.6.2: - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch: Fix denial of service when sniffing type of a short resource (CVE-2025-32909, libsoup3 equivalent of #1103517) - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch, d/p/auth-digest-Handle-missing-nonce.patch, d/p/auth-digest-Fix-leak.patch: Fix denial of service (crash) during client-side authentication (CVE-2025-32910, libsoup3 equivalent of #1103516) - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch, d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch: Fix memory management of message headers. (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515) - d/p/soup_header_parse_quality_list-Fix-leak.patch: Fix a memory leak (slow denial of service) in quality list parsing (CVE-2025-46420, libsoup3 equivalent of #1104055) * Backport additional CVE fixes from upstream release 3.6.5: - d/p/auth-digest-Handle-missing-nonce-1.patch, d/p/digest-auth-Handle-NULL-nonce.patch: Fix additional denial of service issues related to CVE-2025-32910 (CVE-2025-32912, libsoup3 equivalent of #1103516) - d/p/headers-Handle-parsing-edge-case.patch, d/p/headers-Handle-parsing-only-newlines.patch: Fix denial of service (crash) in http server header parsing (CVE-2025-32906, libsoup3 equivalent of #1103521) - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch: Fix credentials disclosure on cross-origin redirect (CVE-2025-46421, libsoup3 equivalent of #110405) * d/control: libsoup-3.0-tests Depends on ca-certificates (Equivalent of #1054962, #1064744 for autopkgtests) * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch: Add patch from upstream fixing a use-after-free during disconnection. In particular this resolves a hang during gnome-calculator startup, when it downloads currency conversion data. (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456, #1100541, #1101922, #1102471, #1059773) * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch: Add patch from upstream fixing another use-after-free during disconnect. (Related to #1077962, etc.) Checksums-Sha1: c422a5e4aa79ceb46442ec505e046cdb0ff2add0 27372 gir1.2-soup-3.0_3.2.3-0+deb12u1_s390x.deb c93cb4c49038eeb2cfd6ea6678abc1f94a9762c2 733768 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_s390x.deb de3ae5c812958ee12e351f9651394a33762aafb8 252160 libsoup-3.0-0_3.2.3-0+deb12u1_s390x.deb 9aae0e97badbf5dfafce1cbb383da177156fdbc4 111304 libsoup-3.0-dev_3.2.3-0+deb12u1_s390x.deb 34f7331708f4843bf5a5821bec5c997a2bccd23f 1379044 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_s390x.deb b83efcdfe9dfae5ee1c3d7cc663a6e51b8cee6fa 1352832 libsoup-3.0-tests_3.2.3-0+deb12u1_s390x.deb 78f63f9c4d97d271756064c8ccf6c0665f06c705 19785 libsoup3_3.2.3-0+deb12u1_s390x-buildd.buildinfo Checksums-Sha256: 2a35e5337a28cdd51b1231626e8e76774081eaa98716ee754a9cacb9ed32cba4 27372 gir1.2-soup-3.0_3.2.3-0+deb12u1_s390x.deb 5437b5666a33dd33b3e578ff75f33a11378e87a20c6802417d06fc90da8908ac 733768 libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_s390x.deb 150df15785ecaf57486eff37b6c6889b6f1322a5662c90c416f4b2c115858a45 252160 libsoup-3.0-0_3.2.3-0+deb12u1_s390x.deb f61185fb801a39816d0080490225c83d27c2232b2e9f94229e0170f9c3f9898f 111304 libsoup-3.0-dev_3.2.3-0+deb12u1_s390x.deb 030700ee7cceb28257c94cc0f73754a04a1502b71cafae854d3fb4e4d39bf3ea 1379044 libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_s390x.deb 59b92868770ea73977651aee219b0737c46d65d25d53c68c8ddf50235917c5ab 1352832 libsoup-3.0-tests_3.2.3-0+deb12u1_s390x.deb 8eac6494f7b26d0a4467d6e7c00bd8dfbeb10ef5b70dff85b69399689f467f9e 19785 libsoup3_3.2.3-0+deb12u1_s390x-buildd.buildinfo Files: d7255378bdec4cc4073e6f38d8b78195 27372 introspection optional gir1.2-soup-3.0_3.2.3-0+deb12u1_s390x.deb 4db58a76226ffbef5c627808e1a5c684 733768 debug optional libsoup-3.0-0-dbgsym_3.2.3-0+deb12u1_s390x.deb d632bdcf3127f666a0e0c29f3a9a3ef8 252160 libs optional libsoup-3.0-0_3.2.3-0+deb12u1_s390x.deb afdf272ed588ff7c6ddb6075cccf9bb4 111304 libdevel optional libsoup-3.0-dev_3.2.3-0+deb12u1_s390x.deb edbbb8fbf4b9dd3dcb64a2fb0fb8e645 1379044 debug optional libsoup-3.0-tests-dbgsym_3.2.3-0+deb12u1_s390x.deb c9f5ccdd514fa4aa752213dc8de92360 1352832 misc optional libsoup-3.0-tests_3.2.3-0+deb12u1_s390x.deb 9ab56f21ab7326049335fbe4018af9a5 19785 devel optional libsoup3_3.2.3-0+deb12u1_s390x-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu0D/YpnnSxv8epH9AKOyQzsWVasFAmionH8ACgkQAKOyQzsW Vat4Sw/+Mlg98DiFpL3iwiA8MIN1pxRqlRmdZcEyR18H3fxow4jQVAmqZsuV1P6m J1zGPjqCwuz6QI55Eumi/tH79/sIstfpgPQv1cdDSc/SF8FFt1+tYCTp6mkdqG16 5gQt2iwj1/VOAfsAHw+cNx+P06YoH5E7AheW44Aew3SBkSRLncCnOq2z6qAk01ZQ w1zCZKT5Hivced0gr7M0eY1UJ6ODSlz50nTsIobGiqDWAURJihg7eDztBUqEFg9J aWxcyz/AG4EqnuwQvaSrfNnv5AAixkAax09gs/RjEVOcbwchl9e29kPIVughT2iI 4MJBB0jKuBHJBqNwd+OqqytBw10nrNSzSXFQoAlrtUuEprtgTPniVmcI1L+cIevQ MY3dqqfdIvb5vYzaufNWiWcML+nXfxJCbZpPDSNoqQ8lx9TzDm7YOODrxoDkUBHr 9tTYSgxogKmE3VP0OZYNyFOjFAal7fI0wGAKHg9+A5DacB16yiuvn+WQOYbIxaIo JpuzEdPqSiQUEYGb5s5ehCO0ce/odlu+iUj3K6DRhQHCOK+RKd+0Y5aJ6d2dfTPT Dq+wv9T6uqet9o3msqduGjqlXgofWOPhso7UxzPHL/CS7HxxDBxjXimd0mAzUm++ Wf3zveo05QjTtbUY5tcD5ril7GNyOZQSh8FtyV5XO6kp1uRSjV8= =oypT -----END PGP SIGNATURE-----