Your message dated Wed, 13 Nov 2024 21:06:28 +0000
with message-id <[email protected]>
and subject line Bug#1087416: fixed in libsoup3 3.6.0-4
has caused the Debian Bug report #1087416,
regarding libsoup3: CVE-2024-52532
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1087416: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087416
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsoup3
Version: 3.6.0-2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libsoup/-/issues/391
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libsoup3.
CVE-2024-52532[0]:
| GNOME libsoup before 3.6.1 has an infinite loop, and memory
| consumption. during the reading of certain patterns of WebSocket
| data from clients.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-52532
https://www.cve.org/CVERecord?id=CVE-2024-52532
[1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/391
[2]
https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsoup3
Source-Version: 3.6.0-4
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libsoup3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated libsoup3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 13 Nov 2024 14:50:50 +0000
Source: libsoup3
Architecture: source
Version: 3.6.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1087416 1087417
Changes:
libsoup3 (3.6.0-4) unstable; urgency=medium
.
* d/patches: Add bug fixes from upstream
- d/p/server-Add-note-about-recommended-usage.patch:
Document the level of security support for the server side.
Upstream has clarified the documentation to state that SoupServer
is not intended to be exposed to untrusted clients.
(Related to CVE-2024-52531, CVE-2024-52532)
- d/p/headers-Be-more-robust-against-invalid-input-when-parsing.patch:
Fix a buffer overrun if asked to parse non-UTF-8 headers. It is
believed that this cannot happen on the client side, but it can
happen in SoupServer. (CVE-2024-52531, Closes: #1087417)
- d/p/tests-Add-test-for-passing-invalid-UTF-8-to-soup_header_p.patch:
Add a test-case for the above
- d/p/websocket-process-the-frame-as-soon-as-we-read-data.patch:
Avoid an infinite loop in WebSocket processing
(CVE-2024-52532, Closes: #1087416)
- d/p/websocket-test-disconnect-error-copy-after-the-test-ends.patch:
Fix a test failure after resolving CVE-2024-52532
* d/p/websocket-test-Disconnect-error-signal-in-another-place.patch:
Add proposed patch to fix another intermittent test failure after
resolving CVE-2024-52532
* d/control: libsoup-3.0-tests Depends on ca-certificates.
Related to #1054962, #1064744
* d/libsoup-3.0-doc.links: Register reference manual with devhelp
* d/libsoup-3.0-doc.links: Create symlinks in
/usr/share/doc/libsoup-3.0-{dev,doc} to make the HTML documentation
more discoverable
Checksums-Sha1:
983fb07db011f040f8352a68d4d8bba15ccdad0c 3182 libsoup3_3.6.0-4.dsc
41d91de795d00820bec5082948a6a171d1463b0a 30184 libsoup3_3.6.0-4.debian.tar.xz
0029242b9eb25368fbe0909ecfc1b0ff3c5201c2 12270
libsoup3_3.6.0-4_source.buildinfo
Checksums-Sha256:
72fa03b067e1df24d303b8a83f22a78fa6ad491de28207c1b7f4e2c26bc08b26 3182
libsoup3_3.6.0-4.dsc
5baf44106ebeab018a67fde3042fd46cf4b3e0a050b2b2697f396e131168ca78 30184
libsoup3_3.6.0-4.debian.tar.xz
e641587ae1006bfbbf7fd4c02d4be9eb81cd72830af9ff5bfd607e50a659a24d 12270
libsoup3_3.6.0-4_source.buildinfo
Files:
ba5a3149ca20e403a3fa57813d90c330 3182 devel optional libsoup3_3.6.0-4.dsc
443ccef129d5f00cbad4177c6864fa2d 30184 devel optional
libsoup3_3.6.0-4.debian.tar.xz
9572d092b5b0c7e10e56db2efe51598f 12270 devel optional
libsoup3_3.6.0-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmc1ESUACgkQI1wJnT6z
MHYuvg//Q9eV9Badpw4XG0JhtSBhVsxs30Fq33JnCBRaNLK4W4hu9lskX5Sb/TG1
lBI0SaUyBw1+/7tqRxAjukq1niclBHoA/FVlkHMIT/TVtT2HJFY5PDvbRQzVDXT+
TGQZvpsDIdmPgaYlkKMFccnmlxkKG4aRFCWZ27NpVv4Eg9qT9rjqz16u8IX/ElsV
Tv4e/Dp4DunpN9MvTPqt3C/yW0vueZU2ePExzx//uvK2NSDMkJFyfzXkog/BgI2K
FVawH4+Mcr3CKIEV2ij2qmrbWKID8VEEcjznrdZHvbh8IEBZk78dRt+bqxY5bFF9
MiBa9sBEFFTBTdRSMBxYFwK9EvtRo7MutZO1UylRlUmRnbbkseUXzfnhxpMKV3Vf
qDbxG9RyqZk+gQnLtnWdIJACc2/rutAtPSVFJoMZdK3rptne5dMSY3FiULZ/8JgK
WViptyKfptJo68jWTxdXI8hkKSFIk+ognbvtfzHardMVIC7bznYYpmO3Rw/hI2jZ
8MRLfHN3CwjRc6HytW9v3XdiyvhQG9AgVyPXjsosqN2SYsxKRbaqM7xPeXQctmxd
I8ZDH9O+72jfEW6wZ/0u/yQE0EUdY52jYnrPProIH23z3wYUyUPBCBpWSlicyyWM
q1p/8BNsRQnZK7AmB1+JV8ZGkPmI/oChfkJGCvJ5fpzt2eHvass=
=rQ+K
-----END PGP SIGNATURE-----
pgpDV6Sms0FKR.pgp
Description: PGP signature
--- End Message ---
