-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 12 Jul 2025 14:39:06 +0100
Source: libsoup3
Architecture: source
Version: 3.2.3-0+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 1052551 1054962 1059773 1064744 1077962 1087416 1087417 1098315 1099119 1100509 1100541 1101922 1102471 1104456
Changes:
 libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium
 .
   * Team upload
 .
   [ Jeremy Bícha ]
   * d/control{,.in}: Add Build-Depends: ca-certificates for build-time tests
     (Closes: #1064744, #1054962)
 .
   [ Simon McVittie ]
   * Re-export patch series (no functional changes)
   * New upstream old-stable release 3.2.3
     - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is
       believed that this cannot happen on the client side, but it can
       happen in SoupServer. (CVE-2024-52531, Closes: #1087417)
     - Avoid an infinite loop in WebSocket processing which can cause a denial
       of service via resource exhaustion (CVE-2024-52532, Closes: #1087416)
     - Fix denial of service (crash) when parsing invalid data URLs
       (CVE-2025-32051)
     - Fix heap overflows during content sniffing
       (CVE-2025-32052, libsoup3 equivalent of #1102214)
       (CVE-2025-32053, libsoup3 equivalent of #1102215)
     - Fix an integer overflow during parameter serialization
       (CVE-2025-32050, libsoup3 equivalent of #1102212)
   * Fix a regression introduced in 3.2.3 by backporting its fixes from
     3.6.5:
     - d/p/sniffer-Fix-potential-overflow.patch,
       d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch:
       Fix more heap buffer overflows during content sniffing
       (CVE-2025-2784; libsoup3 equivalent of #1102208)
     - d/source/include-binaries: Configure dpkg to accept non-text diffs
       in test data for CVE-2025-2784
   * d/p/server-Add-note-about-recommended-usage.patch:
     Update documentation to indicate the level of security support for
     the server side.
     Upstream clarified the documentation in 3.6.1 to state that SoupServer
     is not intended to be exposed to untrusted clients.
     (Related to CVE-2024-52531, CVE-2024-52532)
   * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch:
     Add test coverage related to CVE-2024-52531
   * Backport additional CVE fixes from upstream release 3.5.2:
     - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch:
       Reject HTTP headers if they contain NUL bytes
       (CVE-2024-52530, libsoup3 equivalent of #1088812)
   * Backport additional CVE fixes from upstream release 3.6.2:
     - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch:
       Fix denial of service when sniffing type of a short resource
       (CVE-2025-32909, libsoup3 equivalent of #1103517)
     - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch,
       d/p/auth-digest-Handle-missing-nonce.patch,
       d/p/auth-digest-Fix-leak.patch:
       Fix denial of service (crash) during client-side authentication
       (CVE-2025-32910, libsoup3 equivalent of #1103516)
     - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch,
       d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch:
       Fix memory management of message headers.
       (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515)
     - d/p/soup_header_parse_quality_list-Fix-leak.patch:
       Fix a memory leak (slow denial of service) in quality list parsing
       (CVE-2025-46420, libsoup3 equivalent of #1104055)
   * Backport additional CVE fixes from upstream release 3.6.5:
     - d/p/auth-digest-Handle-missing-nonce-1.patch,
       d/p/digest-auth-Handle-NULL-nonce.patch:
       Fix additional denial of service issues related to CVE-2025-32910
       (CVE-2025-32912, libsoup3 equivalent of #1103516)
     - d/p/headers-Handle-parsing-edge-case.patch,
       d/p/headers-Handle-parsing-only-newlines.patch:
       Fix denial of service (crash) in http server header parsing
       (CVE-2025-32906, libsoup3 equivalent of #1103521)
     - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch:
       Fix credentials disclosure on cross-origin redirect
       (CVE-2025-46421, libsoup3 equivalent of #110405)
   * d/control: libsoup-3.0-tests Depends on ca-certificates
     (Equivalent of #1054962, #1064744 for autopkgtests)
   * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch:
     Add patch from upstream fixing a use-after-free during disconnection.
     In particular this resolves a hang during gnome-calculator startup,
     when it downloads currency conversion data.
     (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456,
     #1100541, #1101922, #1102471, #1059773)
   * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch:
     Add patch from upstream fixing another use-after-free during disconnect.
     (Related to #1077962, etc.)
Checksums-Sha1:
 3cd4cbe62114d1591ac7ed133219be3096f5ebee 3362 libsoup3_3.2.3-0+deb12u1.dsc
 104cbce77f3d620c9b6660f03c6c8076a2c99711 1530552 libsoup3_3.2.3.orig.tar.xz
 0ee17a274d37bd4967b3d8941c13c766520a52c5 37636 libsoup3_3.2.3-0+deb12u1.debian.tar.xz
 cdd653b893d75895662f4fdf3c380b53edb10ee7 18435 libsoup3_3.2.3-0+deb12u1_source.buildinfo
Checksums-Sha256:
 f68bd3c65f208bacfc99d54fe24012a9ce0aef217f89ff0e4ae354f5f029852b 3362 libsoup3_3.2.3-0+deb12u1.dsc
 3f50c2a883d7e984e31ecbaa35326b4e6bc6357bd3eed9bb4eb49154ebadd2fd 1530552 libsoup3_3.2.3.orig.tar.xz
 5afa608a041cf3b0f08386f97e9ec6adaa8971598876e03cbd30812a19ab97c8 37636 libsoup3_3.2.3-0+deb12u1.debian.tar.xz
 9a0bd6df19b611dc6b0f17e16406112bcc8d18f5fcd7da57efefa486d22e0f6c 18435 libsoup3_3.2.3-0+deb12u1_source.buildinfo
Files:
 9e780002f7ff4ffbc7098ba3a46e45da 3362 devel optional libsoup3_3.2.3-0+deb12u1.dsc
 c609e3028296f559786fa581c418f4da 1530552 devel optional libsoup3_3.2.3.orig.tar.xz
 a155ad6386cde3560239fddd97e02581 37636 devel optional libsoup3_3.2.3-0+deb12u1.debian.tar.xz
 4f3fec537be1c450b78572bf5ff4fb43 18435 devel optional libsoup3_3.2.3-0+deb12u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmiYbz8ACgkQI1wJnT6z
MHYX5w//TNn1SbM3UK6VL7w3yeKY724RIjlt8pkF4I75kS9ws2gNVxddbpBhG04c
MVMF/C8ZiKWtIl73FUfQe8ywLePM/QEwUe/gqwkXwXTUG8CJLj0NjsVjOZrWtWI5
EZPdhFun6hX5l236IdYtV71jZSVu/LPzXdSH+Ycs0TyuQth1RRpOKPaJoyZSkE8d
pJvrGRGGtGqW6p3gdlhnwgOlnHZ0ei/15fI4xptjlikikMFXXuNVTC86Fdz5yvHH
TJus4XUka0+KV+mh98NrABNAh/Ar4MNCJfmpEceip6eGLqJ2JaegalHuaJkUusKe
POQ9lrR3cvL22gaw/Xw+O79GFwc4mN3wN/NRar5CHuUr83NdbLnkmzuohfAk3PzA
d14lBtJaPOa/Jxkv5HwwuFlG9DfyvtGkXfoU+5pD+alXrj08OzZ1i/P4kVs0hzrA
cEgQcneFJJjaD0JOWps6LlsT2CXWdpDRKN54l0lUeVRXlCXq41FqMuN8+plBYdCN
Pkaj0fxFUat1sBq9llzgreg26Tor1Kec7+ASuYw9iv9HB9JJromYUjc8tVb4Aj8u
xnjpZgFw1X7eR+zI9hruuuZV0ji46hcujkDy+5eqwUxTupvzluLxy2Qz6eICNTlt
FNg/ZJv95cKx19G+Z8yTcpgoNzEn6eiSOhiObzXwGBn5FRCNtRE=
=wM44
-----END PGP SIGNATURE-----