Your message dated Fri, 21 Nov 2025 21:50:04 +0000
with message-id <[email protected]>
and subject line Bug#1116469: fixed in libsoup3 3.6.5-5
has caused the Debian Bug report #1116469,
regarding libsoup3: CVE-2025-11021
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1116469: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116469
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsoup3
Version: 3.6.5-3
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libsoup/-/issues/459
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libsoup3.
Opening a tracking bug, we marked this already no-dsa for trixie and
bookworm.
CVE-2025-11021[0]:
| A flaw was found in the cookie date handling logic of the libsoup
| HTTP library, widely used by GNOME and other applications for web
| communication. When processing cookies with specially crafted
| expiration dates, the library may perform an out-of-bounds memory
| read. This flaw could result in unintended disclosure of memory
| contents, potentially exposing sensitive information from the
| process using libsoup.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-11021
https://www.cve.org/CVERecord?id=CVE-2025-11021
[1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/459
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsoup3
Source-Version: 3.6.5-5
Done: Jeremy Bícha <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libsoup3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <[email protected]> (supplier of updated libsoup3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 Nov 2025 16:36:49 -0500
Source: libsoup3
Built-For-Profiles: noudeb
Architecture: source
Version: 3.6.5-5
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Jeremy Bícha <[email protected]>
Closes: 1116469
Changes:
libsoup3 (3.6.5-5) unstable; urgency=high
.
* SECURITY UPDATE: Out of bounds read
- CVE-2025-11021-1.patch, CVE-2025-11021-2.patch:
Cherry-pick upstream patches to fix out-of-bounds read in
libsoup/cookies/soup-cookie.c via soup_date_time_to_string()
- CVE-2025-11021 (Closes: #1116469)
Checksums-Sha1:
5f3c52c4251fb7c23e41877540404c5afbf710a6 3024 libsoup3_3.6.5-5.dsc
bd896214ecc41fe1ec39378516a9a17513bd0e03 41836 libsoup3_3.6.5-5.debian.tar.xz
815a3e239f417266b8579cd127df90e346b85838 14120
libsoup3_3.6.5-5_source.buildinfo
Checksums-Sha256:
e364e8fec7ad79d6e2efc85e97d233c6463e117d690d85107d53e932c3e2fbf5 3024
libsoup3_3.6.5-5.dsc
4ba57679c88e1d12dbfae934a97bfa5e29059292fc1fa49b3327f23b0f274396 41836
libsoup3_3.6.5-5.debian.tar.xz
e469a57ed30aa17ac1707283c2a8a91aa9c4822198f5e3071f9ee3992ca51bf6 14120
libsoup3_3.6.5-5_source.buildinfo
Files:
7d70401b1815a31ce9420174e4a22fae 3024 devel optional libsoup3_3.6.5-5.dsc
a18a53e0d48feeb6739622bbd23d49e4 41836 devel optional
libsoup3_3.6.5-5.debian.tar.xz
6016aa85c7cc7f1dbca0d3ca2aa2057f 14120 devel optional
libsoup3_3.6.5-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmkg3GUACgkQ5mx3Wuv+
bH27Qg//aH8KxJJGHymKnnCHRCkQnjGoG4LPjylWmNdJ5ji2KjhHY+ORIBwj59q1
blLqr5VhSY2Bp3+Et4pYBq+azFppbLbP3OrPTzFDL7+qcQSkwbnjzm5AtvSOWBui
1SVtp6mO3Nb5KxL+AJleNy/TxGrABoEot7qVqpJZuoaROlMYo1UqtVSchHcPf0U6
OE14+pVGW2ncSScokG2bOQNPT5ABVUYPBFlNX8SPrEkrNcyv6lBa/u8nBCoZovPV
NHNSTu139iTlSk0awD7Zycs2beoFCwJluuJYCRua3115TREbXZSWAhiEasATr/hB
TDy5f6tfdXN+CQK4+RXCRPYi1OSK1UTXHvDV+DT2QQKY9uG9UGHifE+Lepi4fMU+
pvJk0Q2zIod3Wn+KM5ZO8H+47gErHDB1sJDNEMSJiDF3a7c3Hc5t8sVpRqUeH21N
PCzNzaq+qMEnvCtWk7ccGWj1ch4BP9Q8OQ0gJ2ZoOxS5eXR5Q2vQXkK8b8evIbeC
CPVtq7mfDR/DYX6LNj77UDH9tz56yj1IGi71W+KxXZi6bWs/AtYmueE+NsOqtdU3
w3bt+ZhnGQu4OCkuJIm3IxKXrTqwhDzq45w7j836Mr8xwWYuNxtZthRNyGSef2zM
CLkClwlMy2lPhcaQtlB6sOFQorWQoghLWJSBjVeKAYLAQ5xZJHE=
=npd2
-----END PGP SIGNATURE-----
pgpyw6DkmACgH.pgp
Description: PGP signature
--- End Message ---
