Your message dated Sat, 12 Jul 2025 11:33:59 +0000
with message-id <e1uayur-00982e...@fasolo.debian.org>
and subject line Bug#1103265: fixed in libsoup3 3.6.5-2
has caused the Debian Bug report #1103265,
regarding libsoup3: CVE-2025-32908: denial of service by crashing HTTP/2 server
with invalid pseudo-headers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103265: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103265
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libsoup3
Version: 3.6.5-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libsoup/-/issues/429
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libsoup3.
CVE-2025-32908[0]:
| A flaw was found in libsoup. The HTTP/2 server in libsoup may not
| fully validate the values of pseudo-headers :scheme, :authority, and
| :path, which may allow a user to cause a denial of service (DoS).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-32908
https://www.cve.org/CVERecord?id=CVE-2025-32908
[1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/429
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsoup3
Source-Version: 3.6.5-2
Done: Simon McVittie <s...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libsoup3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated libsoup3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Jul 2025 09:52:52 +0100
Source: libsoup3
Architecture: source
Version: 3.6.5-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Closes: 1103264 1103265 1103267 1105887 1106204 1106205 1106248 1109120
Changes:
libsoup3 (3.6.5-2) unstable; urgency=medium
.
* Team upload
* d/patches: Re-export patch series (no functional changes)
* d/p/multipart-Fix-read-out-of-buffer-bounds-under-soup_multip.patch:
Add patch from upstream git to fix multipart message parsing.
Previously this could read outside the buffer.
This change isn't on upstream's 3.6.x branch yet, so take it from
3.7.x. Test coverage is included.
(CVE-2025-32914, Closes: #1103267)
* d/p/soup-server-http2-Check-validity-of-the-constructed-conne.patch,
d/p/soup-server-http2-Correct-check-of-the-validity-of-the-co.patch:
Add patch from upstream git to fix denial of service in HTTP/2 server.
The original change does not seem to have been fully correct; a
follow-up fix for it is also included.
(CVE-2025-32908, Closes: #1103265)
* d/p/auth-digest-fix-crash-in-soup_auth_digest_get_protection_.patch:
Add patch from upstream git to fix denial of service (a crash)
if a libsoup client is connected to a malicious server.
(CVE-2025-4476, Closes: #1105887)
* d/p/soup-message-headers-Correct-merge-of-ranges.patch,
d/p/server-mem-limit-test-Limit-memory-usage-only-when-not-bu.patch:
Add patch from upstream git fixing server-side DoS in Range requests,
with a follow-up patch to make the newly added test work when compiled
with AddressSanitizer.
(CVE-2025-32907, Closes: #1103264)
* d/p/soup-multipart-Verify-boundary-limits-for-multipart-body.patch:
Add patch from upstream git fixing denial of service with crafted
multipart body.
(CVE-2025-4948, Closes: #1106204)
* d/p/soup-multipart-Verify-array-bounds-before-accessing-its-m.patch:
Add patch from upstream git fixing another denial of service with
crafted multipart body.
(CVE-2025-4969, Closes: #1106248)
* d/p/soup-date-utils-Add-value-checks-for-date-time-parsing.patch,
d/p/tests-Add-tests-for-date-time-including-timezone-validati.patch:
Add patch from upstream git fixing date/time validation, and expand
test coverage for this area.
(CVE-2025-4945, Closes: #1106205)
* d/p/soup-form-Fix-a-possible-memory-leak-in-soup_form_decode_.patch:
Add patch from upstream git fixing some memory leaks
* d/p/websocket-test-Fix-two-memory-leaks.patch,
d/p/misc-test-Fix-two-memory-leaks.patch,
d/p/http2-test-Fix-several-memory-leaks.patch,
d/p/range-test-Fix-a-memory-leak.patch:
Add patches from upstream git fixing some memory leaks in tests.
These are certainly not denial-of-service issues, but it makes "real"
memory leaks harder to detect if there are benign memory leaks in
the test code.
* d/p/test-utils-flush-stdout-after-printing.patch:
Add patch from upstream git to improve test logging.
This does not change production code, and should make it somewhat
less difficult to diagnose the root cause of test failures.
(Maybe helps: #1035983, #1109107, #1109108, #1109120)
* d/p/test-utils-fix-deadlock-in-add_listener_in_thread.patch:
Add patch from upstream git to fix a deadlock during testing.
This hopefully addresses one of the many sources of low-probability test
failures that add up to a noticeable probability of the test suite
as a whole failing (see also #1035983). (Closes: #1109120)
* d/p/tests-Treat-multithread-test-as-an-Apache-test.patch:
Add patch to treat multithread-test like other Apache-based tests,
so that it will not be run in parallel with others.
(Maybe helps: #1035983)
* d/rules: Capture test output into the buildd log, even if successful.
If we don't have the output from successful test logs, it's more
difficult to assess whether workarounds have helped, because we won't
see whether the situation needing the workaround was ever triggered.
* d/p/debian/docs-Remove-remotely-accessed-logo.patch:
Remove remote logo references from local documentation, improving privacy
and fixing a Lintian warning
Checksums-Sha1:
9ac1241c6bad64c068a8d5524225dbe8f189f913 3129 libsoup3_3.6.5-2.dsc
07aeb4d32037ce71c68ce1590b1eeb170800d32b 39508 libsoup3_3.6.5-2.debian.tar.xz
f9c267e525d8c5a01d447b3a3a9270a8fea6b051 12151
libsoup3_3.6.5-2_source.buildinfo
Checksums-Sha256:
eeb6cb668b7ab4f245dd3b69e34be800772631e4722343131f5990230c18c21a 3129
libsoup3_3.6.5-2.dsc
10dc421c3c6dfe0eea9d8091689ce0e73d15c428770a6421ee44414f5ae5e777 39508
libsoup3_3.6.5-2.debian.tar.xz
7d27b2dcd4d81c4b740466490202582f21e7cca1c674c97f249b275db16fafbd 12151
libsoup3_3.6.5-2_source.buildinfo
Files:
3629b0b3278f918ae13b39f689351743 3129 devel optional libsoup3_3.6.5-2.dsc
763527d56726a57106e37c6addedb816 39508 devel optional
libsoup3_3.6.5-2.debian.tar.xz
db2c9d21c2f3005f6a002ac980162507 12151 devel optional
libsoup3_3.6.5-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmhyRlAACgkQI1wJnT6z
MHYykg//eGG1iGv1wmXKsyOTg9I8mJcBZ+XJnxm83oXMWYHqzFL7qz30xFQqBOtm
YEfM0Davd501EKFTq9EVbFmxLSj1Mvui6jujhbk5Vq2foU1fLycxyIOAYt8MYPaM
lZWuFJlPb8xWjEL6f1SJb3/5lCI91O2NzENMP9p1pqXwxa9Am3GZJVdnWEB6qJ/F
fzbSjYlZJGpcRv4Nm/Zj4QZvdc/60eEnRxbnLXJ9vYYZWP3/HJgtKALjfH+to1RV
SMN20/LoxA4qMThkFDUiIilxu/mxbbo2qVKVBY4le586Q34KTDI58//dgEiZg9rm
ZA+sMTsR39/kQLI0/fmv7O5hxEI6MuMMlnfJN7vUVJIfgtrOyquJbEM1py7+Bc2Y
Bm0Ppk6s5qUSL2K4FPDsbjL0BLN13mBLIfgihOjXMAhJvBIEmYi5bpyPxiZQC+ln
mWDMlGPox1ljR+yMsDtKb4rQpdT3UsonxO1JVVXc+X/xRQZA/No9DBw1x6z8XHD/
Hty9MO7FeEMBnYG7FDrxJ7i1vW/auPiVsnhvC3gI8RNYI/0TK3ooMnkPhaHNg46H
i+nC1Ah/hwqblCW7BzIWlxbnacSCMjvCuevgZYhzImK4xAIt1KNK6I8VEwUUvYrj
bOiHjDnrjhNL54Khdukqu/7IBVEqaQZ+EJEWYDb09tqVfBNmkJg=
=AUNY
-----END PGP SIGNATURE-----
pgpONpdOWa8Z5.pgp
Description: PGP signature
--- End Message ---
