From: ftpmaster@ftp-master.debian.org 
  
 -----BEGIN PGP SIGNED MESSAGE----- 
 Hash: SHA512 
  
 Format: 1.8 
 Date: Mon, 25 Aug 2025 16:06:45 +0100 
 Source: libsoup3 
 Architecture: source 
 Version: 3.2.3-0+deb12u2 
 Distribution: bookworm 
 Urgency: medium 
 Maintainer: Debian GNOME Maintainers  
 Changed-By: Simon McVittie  
 Closes: 1052551 1054962 1059773 1064744 1077962 1087416 1087417 1098315 
 1099119 1100509 1100541 1101922 1102471 1104456 
 Changes: 
  libsoup3 (3.2.3-0+deb12u2) bookworm; urgency=medium 
  . 
    * Team upload 
    * d/p/tests-Gracefully-skip-test-if-a-large-memory-allocation-f.patch: 
      Add proposed patch to fix a test failure on some 32-bit machines, in 
      particular Debian 12's mipsel buildds 
  . 
  libsoup3 (3.2.3-0+deb12u1) bookworm; urgency=medium 
  . 
    * Team upload 
  . 
    [ Jeremy B€€cha ] 
    * d/control{,.in}: Add Build-Depends: ca-certificates for build-time 
 tests 
      (Closes: #1064744, #1054962) 
  . 
    [ Simon McVittie ] 
    * Re-export patch series (no functional changes) 
    * New upstream old-stable release 3.2.3 
      - Fix a buffer overrun if asked to parse non-UTF-8 headers. It is 
        believed that this cannot happen on the client side, but it can 
        happen in SoupServer. (CVE-2024-52531, Closes: #1087417) 
      - Avoid an infinite loop in WebSocket processing which can cause a 
 denial 
        of service via resource exhaustion (CVE-2024-52532, Closes: #1087416) 
      - Fix denial of service (crash) when parsing invalid data URLs 
        (CVE-2025-32051) 
      - Fix heap overflows during content sniffing 
        (CVE-2025-32052, libsoup3 equivalent of #1102214) 
        (CVE-2025-32053, libsoup3 equivalent of #1102215) 
      - Fix an integer overflow during parameter serialization 
        (CVE-2025-32050, libsoup3 equivalent of #1102212) 
    * Fix a regression introduced in 3.2.3 by backporting its fixes from 
      3.6.5: 
      - d/p/sniffer-Fix-potential-overflow.patch, 
        d/p/sniffer-Add-better-coverage-of-skip_insignificant_space.patch: 
        Fix more heap buffer overflows during content sniffing 
        (CVE-2025-2784; libsoup3 equivalent of #1102208) 
      - d/source/include-binaries: Configure dpkg to accept non-text diffs 
        in test data for CVE-2025-2784 
    * d/p/server-Add-note-about-recommended-usage.patch: 
      Update documentation to indicate the level of security support for 
      the server side. 
      Upstream clarified the documentation in 3.6.1 to state that SoupServer 
      is not intended to be exposed to untrusted clients. 
      (Related to CVE-2024-52531, CVE-2024-52532) 
    * d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch: 
      Add test coverage related to CVE-2024-52531 
    * Backport additional CVE fixes from upstream release 3.5.2: 
      - d/p/headers-Strictly-don-t-allow-NUL-bytes.patch: 
        Reject HTTP headers if they contain NUL bytes 
        (CVE-2024-52530, libsoup3 equivalent of #1088812) 
    * Backport additional CVE fixes from upstream release 3.6.2: 
      - d/p/content-sniffer-Handle-sniffing-resource-shorter-than-4-b.patch: 
        Fix denial of service when sniffing type of a short resource 
        (CVE-2025-32909, libsoup3 equivalent of #1103517) 
      - d/p/auth-digest-Handle-missing-realm-in-authenticate-header.patch, 
        d/p/auth-digest-Handle-missing-nonce.patch, 
        d/p/auth-digest-Fix-leak.patch: 
        Fix denial of service (crash) during client-side authentication 
        (CVE-2025-32910, libsoup3 equivalent of #1103516) 
      - d/p/soup_message_headers_get_content_disposition-Fix-NULL-der.patch, 
        d/p/soup_message_headers_get_content_disposition-strdup-trunc.patch: 
        Fix memory management of message headers. 
        (CVE-2025-32911, CVE-2025-32913; libsoup3 equivalent of #1103515) 
      - d/p/soup_header_parse_quality_list-Fix-leak.patch: 
        Fix a memory leak (slow denial of service) in quality list parsing 
        (CVE-2025-46420, libsoup3 equivalent of #1104055) 
    * Backport additional CVE fixes from upstream release 3.6.5: 
      - d/p/auth-digest-Handle-missing-nonce-1.patch, 
        d/p/digest-auth-Handle-NULL-nonce.patch: 
        Fix additional denial of service issues related to CVE-2025-32910 
        (CVE-2025-32912, libsoup3 equivalent of #1103516) 
      - d/p/headers-Handle-parsing-edge-case.patch, 
        d/p/headers-Handle-parsing-only-newlines.patch: 
        Fix denial of service (crash) in http server header parsing 
        (CVE-2025-32906, libsoup3 equivalent of #1103521) 
      - d/p/session-Strip-authentication-credentails-on-cross-origin-.patch: 
        Fix credentials disclosure on cross-origin redirect 
        (CVE-2025-46421, libsoup3 equivalent of #110405) 
    * d/control: libsoup-3.0-tests Depends on ca-certificates 
      (Equivalent of #1054962, #1064744 for autopkgtests) 
    * d/p/connection-manager-don-t-crash-if-connection-outlives-its.patch: 
      Add patch from upstream fixing a use-after-free during disconnection. 
      In particular this resolves a hang during gnome-calculator startup, 
      when it downloads currency conversion data. 
      (Closes: #1077962, #1052551, #1098315, #1099119, #1100509, #1104456, 
      #1100541, #1101922, #1102471, #1059773) 
    * d/p/connection-auth-don-t-crash-if-connection-outlives-the-au.patch: 
      Add patch from upstream fixing another use-after-free during 
 disconnect. 
      (Related to #1077962, etc.) 
 Checksums-Sha1: 
  109f78b0454e2dfb3c04d7580032cf1653adbbc7 3514 libsoup3_3.2.3-0+deb12u2.dsc 
  18c39cf2ccdbe8bafae6ea5cb9fcee000ff89f92 38208 libsoup3_3.2.3-0 
 deb12u2.debian.tar.xz 
  12081c772865f927fc2d717eb0b22e03c23aae09 2473716 libsoup3_3.2.3 
 0+deb12u2.git.tar.xz 
  a67dd354b3d5929d371fdb3d37d0804d0efc7fd9 18090 libsoup3_3.2.3-0 
 deb12u2_source.buildinfo 
 Checksums-Sha256: 
  
 [continued in next message] 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)