Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
Salvatore Bonaccorso
carnil at debian.org
Fri May 16 14:03:00 BST 2025
Hi Simon,
On Wed, May 14, 2025 at 03:03:24PM +0100, Simon McVittie wrote:
> On Wed, 14 May 2025 at 11:45:47 +0100, Simon McVittie wrote:
> > On Wed, 14 May 2025 at 10:02:32 +0000, Naaz, Syeda Shagufta wrote:
> > > Could you please advise if I can proceed with proposing the patches for
> > > Bookworm?
> >
> > Sure, please open a merge request - but you might need to coordinate
> > with Sean, who seems to have work-in-progress for some of the other open
> > CVEs.
> >
> > Someone who knows this package better than I do should check your
> > proposed patches to make sure they make sense as a backport of the CVE
> > fixes.
>
> https://salsa.debian.org/gnome-team/libsoup/-/merge_requests/4
>
> Security team: Are you intending to issue a DSA for this, or is this
> bookworm stable updates material?
>
> The bookworm stable updates queue is currently frozen for this weekend's
> point release, so if this is intended to go via stable updates, someone will
> need to ask permission from the stable release managers after reviewing the
> changes.
>
> If we are doing either a stable update or a DSA, including a fix for at
> least #1091502 would probably also be wise.
>
> It isn't clear to me whether bookworm libsoup2.4 is also vulnerable to
> CVE-2025-32910/CVE-2025-32912 (#1103516), CVE-2025-32914 (#1103512),
> CVE-2025-32909 (#1103517), CVE-2025-32906 (#1103521), CVE-2025-46420
> (#1104055). If it is, it probably makes sense to address some or all of
> those in the same update, rather than issuing one update per CVE.
FWIW, we think none of the CVEs really warrant a DSA, so let's fix
those batches of libsoup2.4 issues first in unstable, make sure they
get into trixie and then let them reach bookworm via a point release
(i.e. 12.12).
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list