Package: debian-security-support Severity: normal Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>, libso...@packages.debian.org, libsoup...@packages.debian.org
libsoup is a http client and server library mainly used by GNOME, originally for SOAP and similar RPC protocols but later extended with generic http functionality similar to e.g. libcurl. It provides both client-side and server-side functionality, as well as utility code that is shared by both sides. Its upstream developers updated its documentation in 3.6.1 to clarify that they do not recommend exposing SoupServer to untrusted http clients: <https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28>. If this advice is followed, it would mitigate many of libsoup's current CVEs. Conversely, the client side of libsoup *is* intended to be safe to use against untrusted servers, e.g. in epiphany-browser aka GNOME Web (although it is also affected by some of the current CVEs, which I am in the process of wading through). Should it perhaps be marked with something like this? libsoup2.4 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28 libsoup3 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28 (I'm sure you can think of better wording!) smcv
