Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
Simon McVittie
smcv at debian.org
Wed May 14 15:03:24 BST 2025
On Wed, 14 May 2025 at 11:45:47 +0100, Simon McVittie wrote:
>On Wed, 14 May 2025 at 10:02:32 +0000, Naaz, Syeda Shagufta wrote:
>>Could you please advise if I can proceed with proposing the patches for
>>Bookworm?
>
>Sure, please open a merge request - but you might need to coordinate
>with Sean, who seems to have work-in-progress for some of the other
>open CVEs.
>
>Someone who knows this package better than I do should check your
>proposed patches to make sure they make sense as a backport of the CVE
>fixes.
https://salsa.debian.org/gnome-team/libsoup/-/merge_requests/4
Security team: Are you intending to issue a DSA for this, or is this
bookworm stable updates material?
The bookworm stable updates queue is currently frozen for this weekend's
point release, so if this is intended to go via stable updates, someone
will need to ask permission from the stable release managers after
reviewing the changes.
If we are doing either a stable update or a DSA, including a fix for at
least #1091502 would probably also be wise.
It isn't clear to me whether bookworm libsoup2.4 is also vulnerable to
CVE-2025-32910/CVE-2025-32912 (#1103516), CVE-2025-32914 (#1103512),
CVE-2025-32909 (#1103517), CVE-2025-32906 (#1103521), CVE-2025-46420
(#1104055). If it is, it probably makes sense to address some or all of
those in the same update, rather than issuing one update per CVE.
smcv
More information about the pkg-gnome-maintainers
mailing list