libsoup3_3.6.5-9_source.changes ACCEPTED into unstable

Debian FTP Masters ftpmaster at ftp-master.debian.org
Tue Feb 3 22:18:48 GMT 2026 

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 03 Feb 2026 17:00:07 -0500
Source: libsoup3
Built-For-Profiles: noudeb
Architecture: source
Version: 3.6.5-9
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers at lists.alioth.debian.org>
Changed-By: Jeremy Bícha <jbicha at ubuntu.com>
Closes: 1125156 1126548 1126627 1126628 1126876 1126877
Changes:
 libsoup3 (3.6.5-9) unstable; urgency=high
 .
   * SECURITY UPDATE: Out-of-bounds read
     - debian/patches/CVE-2026-0716-pre1.patch: websocket: do not
       accept messages frames after closing due to an error
     - debian/patches/CVE-2026-0716.patch: websocket: Fix out-of-bounds
       read in process_frame
       - CVE-2026-0716 (Closes: #1125156)
 .
 libsoup3 (3.6.5-8) unstable; urgency=high
 .
   [ Bruce Cable ]
   * SECURITY UPDATE: Carriage Return Line Feed Injection
     - debian/patches/CVE-2026-1467.patch: Do host validation when checking if
       a GUri is valid
       - CVE-2026-1467 (Closes: #1126548)
     - debian/patches/CVE-2026-1536.patch: Always validate the headers value
       when coming from untrusted source
       - CVE-2026-1536 (Closes: #1126627)
   * SECURITY UPDATE: Information Leak
     - debian/patches/CVE-2026-1539.patch: Also remove Proxy-Authorization
       header on cross origin redirect
     - CVE-2026-1539 (Closes: #1126628)
 .
   [ Jeremy Bícha ]
   * SECURITY UPDATE: HTTP Request smuggling vulnerability
     - debian/patches/CVE-2026-1760.patch: Close the connection after
       responding to a request containing Content-Length and Transfer-Encoding
       - CVE-2026-1760 (Closes: #1126876)
   * SECURITY UPDATE: Stack-based buffer overflow vulnerability
     - debian/patches/CVE-2026-1761.patch: Make sure read length is smaller
       than buffer length when boundary is found
       - CVE-2026-1761 (Closes: #1126877)
   * SECURITY UPDATE: HTTP Request smuggling vulnerability
     - debian/patches/CVE-2026-1801-pre1.patch: Correct chunked trailers
        end detection
     - debian/patches/CVE-2026-1801.patch: Use CRLF as line boundary
       when parsing chunked encoding data
       - CVE-2026-1801
Checksums-Sha1:
 000e3c5d998e773d3d213217b530dfad1c2d5d8b 2957 libsoup3_3.6.5-9.dsc
 911cb0c25e5af01c8a5fab6abb46bcd46f8c5c28 57820 libsoup3_3.6.5-9.debian.tar.xz
 1a4d99d3ffdd4bf12d4a04f41cfca0a1a4be2a26 13405 libsoup3_3.6.5-9_source.buildinfo
Checksums-Sha256:
 b6a1d8ec6732433f5b0085cbae89c1d130fc9ebf1cda86bf22fdd5b9b9bb71a7 2957 libsoup3_3.6.5-9.dsc
 b48ca579f7adf6bddb3fba64b45d0556494219915fe1cd45db71739604351545 57820 libsoup3_3.6.5-9.debian.tar.xz
 dd851d02c010471887c285e674f376a36ceb33fe90fd17909b7ad4b249bbb75d 13405 libsoup3_3.6.5-9_source.buildinfo
Files:
 821a0daa19aedab5053afd64cc63bb96 2957 devel optional libsoup3_3.6.5-9.dsc
 34e2cdda7235b426dea0256f556a0295 57820 devel optional libsoup3_3.6.5-9.debian.tar.xz
 95a650d627317600ccb4300c288a1f78 13405 devel optional libsoup3_3.6.5-9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmmCcSsACgkQ5mx3Wuv+
bH1WIg/8DeKPITBpRvukE+VXBTzKa9VDXS8iDWgS7/606XV36gQygEJRwYUigKg9
EPdMcpURvSANmtcgHEnIBAJ08kLmdpwQ2rhTAZ9dGGgzzYnhMkjA+pd22RjiBklF
XokvRtjN873oY+R0TedMi3UaGT958ZjUcyQmzkTcF/+BSyqrR3eKjeSy6AwfbLX9
6EGgiT9x2RYdOypDCTJ72+VvSETqGVH0KjzwbJkKt0zZ44nhgfSrad8kPc1sCMoY
XzyDeHbyQdsZ/GIoHyfm0+Dt5pCIWUUKWp3ia3JZuBWY7MaFhvcAjea3qG1Yz44O
/usY93sC6+qHmokUbCfwddlgReIWyTNnOb6DOjYiGwPKS0sRhZNonsFF2y0IsWQ2
zTBmvYipxgSu1GBXqy5UJc921zqzx4bu27SMcWXPIfcOsUjLkmF+AlF45JhqNDJs
Cl9ljVG01LPWHPickudPrqbQIEeeWpFMGrNKIDEhsKBR4mDaldMoLf8Owc36BmAP
cKrluvbJD2EzAeZjnRle6gTHtennKVNPWCbBTC8ma/iyo5Nw8inCaw1CU+GFKWwv
Rn21WOY1J3EO3l4sd3WUpCbP290U/Tlgn8yJoaI/c1GLsGTG6ma6Ycar7t1n8Vtv
UnQEppYDU4Ffwq4Vkhpmck9zcVmW1TopTclCcuvDvy4ADLHLHQg=
=y6Re
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20260203/52e0f26e/attachment.sig>

More information about the pkg-gnome-maintainers mailing list