On Wed, 14 May 2025 at 11:45:47 +0100, Simon McVittie wrote:
On Wed, 14 May 2025 at 10:02:32 +0000, Naaz, Syeda Shagufta wrote:
Could you please advise if I can proceed with proposing the patches for
Bookworm?
Sure, please open a merge request - but you might need to coordinate
with Sean, who seems to have work-in-progress for some of the other
open CVEs.
Someone who knows this package better than I do should check your
proposed patches to make sure they make sense as a backport of the CVE
fixes.
https://salsa.debian.org/gnome-team/libsoup/-/merge_requests/4
Security team: Are you intending to issue a DSA for this, or is this
bookworm stable updates material?
The bookworm stable updates queue is currently frozen for this weekend's
point release, so if this is intended to go via stable updates, someone
will need to ask permission from the stable release managers after
reviewing the changes.
If we are doing either a stable update or a DSA, including a fix for at
least #1091502 would probably also be wise.
It isn't clear to me whether bookworm libsoup2.4 is also vulnerable to
CVE-2025-32910/CVE-2025-32912 (#1103516), CVE-2025-32914 (#1103512),
CVE-2025-32909 (#1103517), CVE-2025-32906 (#1103521), CVE-2025-46420
(#1104055). If it is, it probably makes sense to address some or all of
those in the same update, rather than issuing one update per CVE.
smcv
