libsoup3_3.6.5-2_source.changes ACCEPTED into unstable

Debian FTP Masters ftpmaster at ftp-master.debian.org
Sat Jul 12 12:33:59 BST 2025 

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 12 Jul 2025 09:52:52 +0100
Source: libsoup3
Architecture: source
Version: 3.6.5-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers at lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv at debian.org>
Closes: 1103264 1103265 1103267 1105887 1106204 1106205 1106248 1109120
Changes:
 libsoup3 (3.6.5-2) unstable; urgency=medium
 .
   * Team upload
   * d/patches: Re-export patch series (no functional changes)
   * d/p/multipart-Fix-read-out-of-buffer-bounds-under-soup_multip.patch:
     Add patch from upstream git to fix multipart message parsing.
     Previously this could read outside the buffer.
     This change isn't on upstream's 3.6.x branch yet, so take it from
     3.7.x. Test coverage is included.
     (CVE-2025-32914, Closes: #1103267)
   * d/p/soup-server-http2-Check-validity-of-the-constructed-conne.patch,
     d/p/soup-server-http2-Correct-check-of-the-validity-of-the-co.patch:
     Add patch from upstream git to fix denial of service in HTTP/2 server.
     The original change does not seem to have been fully correct; a
     follow-up fix for it is also included.
     (CVE-2025-32908, Closes: #1103265)
   * d/p/auth-digest-fix-crash-in-soup_auth_digest_get_protection_.patch:
     Add patch from upstream git to fix denial of service (a crash)
     if a libsoup client is connected to a malicious server.
     (CVE-2025-4476, Closes: #1105887)
   * d/p/soup-message-headers-Correct-merge-of-ranges.patch,
     d/p/server-mem-limit-test-Limit-memory-usage-only-when-not-bu.patch:
     Add patch from upstream git fixing server-side DoS in Range requests,
     with a follow-up patch to make the newly added test work when compiled
     with AddressSanitizer.
     (CVE-2025-32907, Closes: #1103264)
   * d/p/soup-multipart-Verify-boundary-limits-for-multipart-body.patch:
     Add patch from upstream git fixing denial of service with crafted
     multipart body.
     (CVE-2025-4948, Closes: #1106204)
   * d/p/soup-multipart-Verify-array-bounds-before-accessing-its-m.patch:
     Add patch from upstream git fixing another denial of service with
     crafted multipart body.
     (CVE-2025-4969, Closes: #1106248)
   * d/p/soup-date-utils-Add-value-checks-for-date-time-parsing.patch,
     d/p/tests-Add-tests-for-date-time-including-timezone-validati.patch:
     Add patch from upstream git fixing date/time validation, and expand
     test coverage for this area.
     (CVE-2025-4945, Closes: #1106205)
   * d/p/soup-form-Fix-a-possible-memory-leak-in-soup_form_decode_.patch:
     Add patch from upstream git fixing some memory leaks
   * d/p/websocket-test-Fix-two-memory-leaks.patch,
     d/p/misc-test-Fix-two-memory-leaks.patch,
     d/p/http2-test-Fix-several-memory-leaks.patch,
     d/p/range-test-Fix-a-memory-leak.patch:
     Add patches from upstream git fixing some memory leaks in tests.
     These are certainly not denial-of-service issues, but it makes "real"
     memory leaks harder to detect if there are benign memory leaks in
     the test code.
   * d/p/test-utils-flush-stdout-after-printing.patch:
     Add patch from upstream git to improve test logging.
     This does not change production code, and should make it somewhat
     less difficult to diagnose the root cause of test failures.
     (Maybe helps: #1035983, #1109107, #1109108, #1109120)
   * d/p/test-utils-fix-deadlock-in-add_listener_in_thread.patch:
     Add patch from upstream git to fix a deadlock during testing.
     This hopefully addresses one of the many sources of low-probability test
     failures that add up to a noticeable probability of the test suite
     as a whole failing (see also #1035983). (Closes: #1109120)
   * d/p/tests-Treat-multithread-test-as-an-Apache-test.patch:
     Add patch to treat multithread-test like other Apache-based tests,
     so that it will not be run in parallel with others.
     (Maybe helps: #1035983)
   * d/rules: Capture test output into the buildd log, even if successful.
     If we don't have the output from successful test logs, it's more
     difficult to assess whether workarounds have helped, because we won't
     see whether the situation needing the workaround was ever triggered.
   * d/p/debian/docs-Remove-remotely-accessed-logo.patch:
     Remove remote logo references from local documentation, improving privacy
     and fixing a Lintian warning
Checksums-Sha1:
 9ac1241c6bad64c068a8d5524225dbe8f189f913 3129 libsoup3_3.6.5-2.dsc
 07aeb4d32037ce71c68ce1590b1eeb170800d32b 39508 libsoup3_3.6.5-2.debian.tar.xz
 f9c267e525d8c5a01d447b3a3a9270a8fea6b051 12151 libsoup3_3.6.5-2_source.buildinfo
Checksums-Sha256:
 eeb6cb668b7ab4f245dd3b69e34be800772631e4722343131f5990230c18c21a 3129 libsoup3_3.6.5-2.dsc
 10dc421c3c6dfe0eea9d8091689ce0e73d15c428770a6421ee44414f5ae5e777 39508 libsoup3_3.6.5-2.debian.tar.xz
 7d27b2dcd4d81c4b740466490202582f21e7cca1c674c97f249b275db16fafbd 12151 libsoup3_3.6.5-2_source.buildinfo
Files:
 3629b0b3278f918ae13b39f689351743 3129 devel optional libsoup3_3.6.5-2.dsc
 763527d56726a57106e37c6addedb816 39508 devel optional libsoup3_3.6.5-2.debian.tar.xz
 db2c9d21c2f3005f6a002ac980162507 12151 devel optional libsoup3_3.6.5-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmhyRlAACgkQI1wJnT6z
MHYykg//eGG1iGv1wmXKsyOTg9I8mJcBZ+XJnxm83oXMWYHqzFL7qz30xFQqBOtm
YEfM0Davd501EKFTq9EVbFmxLSj1Mvui6jujhbk5Vq2foU1fLycxyIOAYt8MYPaM
lZWuFJlPb8xWjEL6f1SJb3/5lCI91O2NzENMP9p1pqXwxa9Am3GZJVdnWEB6qJ/F
fzbSjYlZJGpcRv4Nm/Zj4QZvdc/60eEnRxbnLXJ9vYYZWP3/HJgtKALjfH+to1RV
SMN20/LoxA4qMThkFDUiIilxu/mxbbo2qVKVBY4le586Q34KTDI58//dgEiZg9rm
ZA+sMTsR39/kQLI0/fmv7O5hxEI6MuMMlnfJN7vUVJIfgtrOyquJbEM1py7+Bc2Y
Bm0Ppk6s5qUSL2K4FPDsbjL0BLN13mBLIfgihOjXMAhJvBIEmYi5bpyPxiZQC+ln
mWDMlGPox1ljR+yMsDtKb4rQpdT3UsonxO1JVVXc+X/xRQZA/No9DBw1x6z8XHD/
Hty9MO7FeEMBnYG7FDrxJ7i1vW/auPiVsnhvC3gI8RNYI/0TK3ooMnkPhaHNg46H
i+nC1Ah/hwqblCW7BzIWlxbnacSCMjvCuevgZYhzImK4xAIt1KNK6I8VEwUUvYrj
bOiHjDnrjhNL54Khdukqu/7IBVEqaQZ+EJEWYDb09tqVfBNmkJg=
=AUNY
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20250712/6d747fac/attachment.sig>

More information about the pkg-gnome-maintainers mailing list