Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
Simon McVittie
smcv at debian.org
Wed May 14 11:45:47 BST 2025
Please keep the subject line when replying to bug reports: package
maintainers will often see your email out-of-context among thousands of
other messages, and it's useful to have an idea of which package you're
talking about!
On Wed, 14 May 2025 at 10:02:32 +0000, Naaz, Syeda Shagufta wrote:
>I noticed that the changelog in the [2] Salsa Debian
>Bookworm branch does not match the one in the source code for [3] Debian 12
>Bookworm.
It looks as though Sean Whitton released fixes for some other CVEs but
didn't update the gnome-team git repository (or perhaps wasn't able to
update the gnome-team git repository). I've fetched the changes from
https://salsa.debian.org/lts-team/packages/libsoup and pushed them to
the gnome-team repository now, so the debian/bookworm branch should be
up to date.
Sean, if you can, please push any subsequent work on libsoup2.4 to the
relevant branches at https://salsa.debian.org/gnome-team/libsoup at the
time that it's finalized/tagged/uploaded. (If you don't have access, I
can add you, but I think DDs might have access to gnome-team
repositories anyway?)
You're also welcome to push work-in-progress to the wip/* namespace if
that would be useful (or you can send merge requests from the lts-team's
fork or from a personal fork). If something is actively being worked on,
having a "Draft:" MR is probably valuable, even if it isn't ready to
land yet.
libsoup2.4 is an obsolete version of libsoup (the current version is
libsoup3, see #1056125) and the GNOME team has been trying to get other
Debian packages moved over to libsoup3, so fixing libsoup2.4 has not
been as high a priority as it might have been. Unfortunately we have not
been able to remove libsoup2.4, even in the upcoming Debian 13 release,
because various packages still depend on it
(https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-gnome-maintainers%40lists.alioth.debian.org&tag=libsoup2).
>Could you please advise if I can proceed with proposing the patches for
>Bookworm?
Sure, please open a merge request - but you might need to coordinate with
Sean, who seems to have work-in-progress for some of the other open CVEs.
Someone who knows this package better than I do should check your
proposed patches to make sure they make sense as a backport of the
CVE fixes.
smcv
More information about the pkg-gnome-maintainers
mailing list