libsoup2.4_2.74.3-11_source.changes ACCEPTED into unstable

Debian FTP Masters ftpmaster at ftp-master.debian.org
Tue Dec 9 13:18:54 GMT 2025 

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 09 Dec 2025 13:29:08 +0100
Source: libsoup2.4
Architecture: source
Version: 2.74.3-11
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers at lists.alioth.debian.org>
Changed-By: Andreas Henriksson <andreas at fatal.se>
Changes:
 libsoup2.4 (2.74.3-11) unstable; urgency=medium
 .
   * Team upload.
   * CVE-2025-4945: integer overflow in cookie parsing.
     A flaw was found in the cookie parsing logic of the libsoup HTTP
     library, used in GNOME applications and other software. The
     vulnerability arises when processing the expiration date of cookies,
     where a specially crafted value can trigger an integer overflow. This
     may result in undefined behavior, allowing an attacker to bypass cookie
     expiration logic, causing persistent or unintended cookie behavior. The
     issue stems from improper validation of large integer inputs during date
     arithmetic operations within the cookie parsing routines.
   * CVE-2025-4476: crash in soup_auth_digest_get_protection_space.
     A denial-of-service vulnerability has been identified in the libsoup
     HTTP client library. This flaw can be triggered when a libsoup client
     receives a 401 (Unauthorized) HTTP response containing a specifically
     crafted domain parameter within the WWW-Authenticate header. Processing
     this malformed header can lead to a crash of the client application
     using libsoup. An attacker could exploit this by setting up a malicious
     HTTP server. If a user's application using the vulnerable libsoup
     library connects to this malicious server, it could result in a
     denial-of-service. Successful exploitation requires tricking a user's
     client application into connecting to the attacker's malicious server.
   * CVE-2025-4948: verify boundary limits for multipart body.
     A flaw was found in the soup_multipart_new_from_message() function of
     the libsoup HTTP library, which is commonly used by GNOME and other
     applications to handle web communications. The issue occurs when the
     library processes specially crafted multipart messages. Due to improper
     validation, an internal calculation can go wrong, leading to an integer
     underflow. This can cause the program to access invalid memory and
     crash. As a result, any application or server using libsoup could be
     forced to exit unexpectedly, creating a denial-of-service (DoS) risk.
   * CVE-2025-4969: verify array bounds before accessing.
     A vulnerability was found in the libsoup package. This flaw stems from
     its failure to correctly verify the termination of multipart HTTP
     messages. This can allow a remote attacker to send a specially crafted
     multipart HTTP body, causing the libsoup-consuming server to read beyond
     its allocated memory boundaries (out-of-bounds read).
Checksums-Sha1:
 258b265e7cdab1d48683b08f68716a4536bde99d 3374 libsoup2.4_2.74.3-11.dsc
 75cd5eec0b2c5d363e4934f2e0b27fac4ad4f721 47820 libsoup2.4_2.74.3-11.debian.tar.xz
 76fb290c322e5c8ae635cbd0ac4c618ba025dbd0 15743 libsoup2.4_2.74.3-11_arm64.buildinfo
Checksums-Sha256:
 41bdcada448b9999e7e18d24c003eb2f17ddded264edd9129591325cf5360cf9 3374 libsoup2.4_2.74.3-11.dsc
 08880f306394f4f8a8a78a726a218463e8dd8a0677e5eb0c1cc06b84653f0901 47820 libsoup2.4_2.74.3-11.debian.tar.xz
 7579c0bf71a4929afb92a80c749c9c6a2d776e3cdc2de9261541ffcf7e14fa46 15743 libsoup2.4_2.74.3-11_arm64.buildinfo
Files:
 d2595f96762badc234aced9df993687c 3374 oldlibs optional libsoup2.4_2.74.3-11.dsc
 5ed8ee169dba999b7de5660c36406821 47820 oldlibs optional libsoup2.4_2.74.3-11.debian.tar.xz
 de0394fe04c1403202d6db40f0404bc0 15743 oldlibs optional libsoup2.4_2.74.3-11_arm64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmk4HxUACgkQC8R9xk0T
UwYeBg/+J5BMVFefsNmGzbRwS+OpaDEDEoZXZBxClFjLx6gMc3Oxz33RZwR4rhY7
fUCiIppOhvqcAdZ9itb4lyfN9zAhkenwwInIkLeK8RZaRlYLeb3V/keC8N/Z2BE5
FRpi7aXcA6pCz6K3n0g+xj+54GVXuy03XqXVD0b11qR9HhGESWgLTiScNfdjz0S7
cVlQBXHrLpaeO6oRvm0zON2fNQwSJNzAcZ88pXjTKJyHrT8B3vFf7KL6++aZ8tE/
j6SrverTPK+a4taq2SVI/bwLUKWRbYPPtBcYD9z1+RXpRgdWT2My3widJ+OMRBAi
O/jB2+xyloT8EOSuhovq6ckgBuanW/INJTIq+5y/ZQpuUAlQKG5Cq/P7BOJGLXsZ
l0t1k+OtjIKF2A3B4/zZ9OpTj3WuqGHwB/C4/2Fmk6vpTv6KX/zYmH0nJXKAPMz8
D4a6qR6Abu5cjimCemqCvTMPhSVQQazhnjoL+tGUXkZ6HUWh/Cq4CkB+W7e1jOCl
wgOTZwD6zUkXyRQ5P6kn95dnTUZ1gNFLdI21VE6oG2st1T1ufQlIx82lSBMlKU0c
Bvb9WTP5ewDFcQ/kgaxa1hKAHtUjE41Z5kEmQiN2w+YW/0jqKF9+Ueps7tB0S3TK
UKWY1lplDjhDo7tqX9uN3JHIEN0Pk+NZ6kUZdPXSniiVhRxX0Bw=
=7y2N
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20251209/e1b15568/attachment.sig>

More information about the pkg-gnome-maintainers mailing list