Accepted libsoup2.4 2.72.0-2+deb11u2 (source) into oldstable-security

To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
Subject: Accepted libsoup2.4 2.72.0-2+deb11u2 (source) into oldstable-security
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 27 Apr 2025 15:40:25 +0000
Message-id: <[🔎] E1u947F-00FqJt-0H@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 27 Apr 2025 17:01:48 +0200
Source: libsoup2.4
Architecture: source
Version: 2.72.0-2+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Closes: 1091502
Changes:
 libsoup2.4 (2.72.0-2+deb11u2) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
 .
   [ Andreas Henriksson ]
   * CVE-2025-2784: heap buffer over-read when sniffing content
     via the skip_insight_whitespace() function. Libsoup clients may read one
     byte out-of-bounds in response to a crafted HTTP response by an HTTP
     server.
   * CVE-2025-32050:
     libsoup append_param_quoted() function may contain an overflow bug
     resulting in a buffer under-read.
   * CVE-2025-32052:
     vulnerability in the sniff_unknown() function may lead to heap buffer
     over-read.
   * CVE-2025-32053:
     vulnerability in sniff_feed_or_html() and skip_insignificant_space()
     functions may lead to a heap buffer over-read.
   * CVE-2025-32906:
     soup_headers_parse_request() function may be vulnerable to an
     out-of-bound read. This flaw allows a malicious user to use a specially
     crafted HTTP request to crash the HTTP server.
   * CVE-2025-32909:
     SoupContentSniffer may be vulnerable to a NULL pointer dereference in
     the sniff_mp4 function. The HTTP server may cause the libsoup client to
     crash.
   * CVE-2025-32910:
     soup_auth_digest_authenticate() is vulnerable to a NULL pointer
     dereference. This issue may cause the libsoup client to crash.
   * CVE-2025-32911:
     use-after-free memory issue not on the heap in the
     soup_message_headers_get_content_disposition() function. This flaw
     allows a malicious HTTP client to cause memory corruption in the libsoup
     server.
     CVE-2025-32913:
     the soup_message_headers_get_content_disposition() function is
     vulnerable to a NULL pointer dereference. This flaw allows a malicious
     HTTP peer to crash a libsoup client or server that uses this function.
     (same fix for both CVE-2025-32911 and CVE-2025-32913)
   * CVE-2025-32914:
     the soup_multipart_new_from_message() function is vulnerable to an
     out-of-bounds read. This flaw allows a malicious HTTP client to induce the
     libsoup server to read out of bounds.
   * CVE-2025-32912:
     SoupAuthDigest is vulnerable to a NULL pointer dereference. The HTTP
     server may cause the libsoup client to crash.
   * Do not complain about patches with test-data
   * Backport multipart test to old libsoup API
   * Backport content-sniffing extended whitespace test
   * Backport auth tests for CVE-2025-32910
 .
   [ Jeremy Bícha ]
   * Cherry-pick patch to extend expiration to 2049 of a certificate
     used for build tests
     (cherry picked from commit 87ca3c61fbd4c1967d16a198920bcf8962f7b067)
     (Closes: #1091502)
Checksums-Sha1:
 04245b5cc0adb70c7c6447132952f8a46feba276 3251 libsoup2.4_2.72.0-2+deb11u2.dsc
 6aaed6b49b13e287b7c3bba546ba49fec4ea72a5 1477940 libsoup2.4_2.72.0.orig.tar.xz
 3b71450a984c02090ac5be9f7313cfeb59795695 43480 libsoup2.4_2.72.0-2+deb11u2.debian.tar.xz
 9dfa95b52e52708725789063b323e3fefe80aac0 9893 libsoup2.4_2.72.0-2+deb11u2_source.buildinfo
Checksums-Sha256:
 04047108dadb081325ea4113091bb3d630b3c6c9ee0ba498c628e9c667a1113e 3251 libsoup2.4_2.72.0-2+deb11u2.dsc
 170c3f8446b0f65f8e4b93603349172b1085fb8917c181d10962f02bb85f5387 1477940 libsoup2.4_2.72.0.orig.tar.xz
 eb04353699bee8ec139f9e41ccffd756033d12a3f46a752a12d2cf13c049846d 43480 libsoup2.4_2.72.0-2+deb11u2.debian.tar.xz
 36e61e9bc29e7193e5365d9603801d71da4f336806db32d22267382b91c5e3c1 9893 libsoup2.4_2.72.0-2+deb11u2_source.buildinfo
Files:
 c4270ee8687b6f3c3381cbd590dc5e8c 3251 devel optional libsoup2.4_2.72.0-2+deb11u2.dsc
 859380b76b51fb55d720daea3c76c945 1477940 devel optional libsoup2.4_2.72.0.orig.tar.xz
 1d3415e603263ec404df15f03b5ceac4 43480 devel optional libsoup2.4_2.72.0-2+deb11u2.debian.tar.xz
 e47bdd0757494847851341104ca70847 9893 devel optional libsoup2.4_2.72.0-2+deb11u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmgOSRQACgkQC8R9xk0T
Uwb6sg/7BTcS770lTKiUWn9ZCNBqoSKYV5LqXAfOnOnwhYgtVGcNqXDwSbwJWk0+
Lh3Usor8ldReALLNt4f1ZldD/mpK+GbyEmX6oGCbQMd7JIoMtlv7GxjytjbhKfWb
zh5MGQMfNk/kPltxc2MMk94HdFGXDXHkXM28VUcZ9hnT/SBG485AvlWr1Sq61EHY
Lp29bIH8rFzAteQztgcoGjlIO3r3rJwz+A0PVq9G/GoawX2JFUeT2Q0faSb00Bh+
f3LElEBX89pP3sWgrPtOWNeVf78PqeOVzm6+r8dyiscaRAQUbM21KGEoY3LlPUUs
pV73tF2TCqcUmNpKq9rQDmWN3q1x7ZmrVrniKrhnas2OKmpXymXQEgbIXx6S3b1J
lGOFN1xklZuL8oumdg/25l8rAJiNZT/4G1wZrA/yqntmL9IbMTowVge1EXLv0RXJ
a6UrwWRr4xMoDA9BrOw4s6eKHcPG89Q6NV4FhyU6/tY8vHY3oAMgpbRpkzd0alxt
vhO2XdBTQBpTQ9uXJ+QHca82YgIZTG2NrtsnN1WGkV4+vGdBacEvPb8/coke1luO
donvNUw7pZrvqoat87Et/WXBhTUl5fykLmJnZDZqjs8ZC+YXXZ7/K//zVQHfyE1z
wVnWMMKidjmZL3GL9LzJ6i7hYNrDw457t78Cmpr7JHIhdbtvx5s=
=yVw6
-----END PGP SIGNATURE-----

Attachment: pgpZOstpvuLN5.pgp
Description: PGP signature

Reply to:

Prev by Date: Accepted imagemagick 8:6.9.11.60+dfsg-1.3+deb11u5 (source) into oldstable-security
Next by Date: Accepted poppler 20.09.0-3.1+deb11u2 (source) into oldstable-security
Previous by thread: Accepted imagemagick 8:6.9.11.60+dfsg-1.3+deb11u5 (source) into oldstable-security
Next by thread: Accepted poppler 20.09.0-3.1+deb11u2 (source) into oldstable-security
Index(es):
- Date
- Thread