Your message dated Sat, 14 Feb 2026 23:50:19 +0000
with message-id <[email protected]>
and subject line Bug#1127905: fixed in libsoup3 3.6.6-1
has caused the Debian Bug report #1127905,
regarding libsoup3: CVE-2026-2443
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127905: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127905
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsoup3
Version: 3.6.5-9
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libsoup/-/issues/487
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libsoup3.
CVE-2026-2443[0]:
| A flaw was identified in libsoup, a widely used HTTP library in
| GNOME-based systems. When processing specially crafted HTTP Range
| headers, the library may improperly validate requested byte ranges.
| In certain build configurations, this could allow a remote attacker
| to access portions of server memory beyond the intended response.
| Exploitation requires a vulnerable configuration and access to a
| server using the embedded SoupServer component.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2443
https://www.cve.org/CVERecord?id=CVE-2026-2443
[1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/487
[2] https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/508
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsoup3
Source-Version: 3.6.6-1
Done: Jeremy Bícha <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libsoup3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <[email protected]> (supplier of updated libsoup3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 Feb 2026 18:24:11 -0500
Source: libsoup3
Built-For-Profiles: noudeb
Architecture: source
Version: 3.6.6-1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Jeremy Bícha <[email protected]>
Closes: 1127843 1127905
Changes:
libsoup3 (3.6.6-1) unstable; urgency=high
.
* New upstream release
- SECURITY UPDATE: Integer overflow introduced by CVE-2025-32052 fix
when resource_length=0
- CVE-2026-2369 (Closes: #1127843)
- SECURITY UPDATE: Out-of-bounds read in libsoup handle_partial_get()
leading to heap information disclosure
- CVE-2026-2443 (Closes: #1127905)
* Remove patches applied in new release
* Refresh patches
Checksums-Sha1:
49c5a29c736f68296d4e2aa3be846c731401a434 2946 libsoup3_3.6.6-1.dsc
bf60e40726e94f5253a752071c9a80abb86ddc21 1572004 libsoup3_3.6.6.orig.tar.xz
10a014515e901c392b49b623b0ff7301fb5717b3 30820 libsoup3_3.6.6-1.debian.tar.xz
959e4e9c137f0665fae0ae3ba5a756ae3a0faa6b 13682
libsoup3_3.6.6-1_source.buildinfo
Checksums-Sha256:
a0f7ab4f00cacf59540c29835c69e82600636ce1e197e951b68ed411bd649b38 2946
libsoup3_3.6.6-1.dsc
51ed0ae06f9d5a40f401ff459e2e5f652f9a510b7730e1359ee66d14d4872740 1572004
libsoup3_3.6.6.orig.tar.xz
8a90522e2c82c1a2ec912b66252dbf81525e3529cb14baa22ec144f84b534045 30820
libsoup3_3.6.6-1.debian.tar.xz
476d841ddae400ded4d3a540ea04a9da790570cd02fbc1351befebf203b31747 13682
libsoup3_3.6.6-1_source.buildinfo
Files:
e0c82d27275a79bdbef63373cb06302d 2946 devel optional libsoup3_3.6.6-1.dsc
9e07742595800ecf301eafb52300dd89 1572004 devel optional
libsoup3_3.6.6.orig.tar.xz
f8b0ab09292d5d082cdaa9dabfe0155e 30820 devel optional
libsoup3_3.6.6-1.debian.tar.xz
5ecc2fe8eef03e974513a402d7424a23 13682 devel optional
libsoup3_3.6.6-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmmRBa0ACgkQ5mx3Wuv+
bH2yEA/5AXfmVuQ8LZ3fZAp+f4xXrN/Lq33BCTW/ItoB+AMbJ5PJC2NAmQTqlcDB
5L7tfqsQz3ez3s95rYc/wzJqLQnf2Z7skdOVcvlxu3e/1DNG4t46+PeEBCt386OX
sR3g/IcjxowaTcYEWLtPMtdbDf6v7M1pYIB/IMN6ELvrlU/tDRRbif2UIrz8EzdX
K6P4qrMYk0De+qm/GMyA7nyVC+PPuhb7yRoVIDywEF0nQZI/15GdpfaMD9kQUT3B
wOqRWXTm3pYdMcxXNMMb02VETZnozIlhNjcjL4AJBxx/gn+07aUhGLjuXp0ePTon
O49ipiQmGlvXVGkLKGT/eVnF7Jlnpe0+7aAijAhlAP0sYthqHxOZghVsDDYNBA3l
KRuBZCdKpkTHcyRFdx0izT1+xPy5eyV+HEqbQMvwfpAtc0RQ536Ll4e14FjW4twj
WJu1DVmiVUqr0UqU3a1a2mofbQggOT4dSio64J9qp6HrwVXTEqytqnODHjBRTtyy
nupWQJH/CXLWK5zKCRofNkb7M5xbdAuwVVfdsPvklNofyLFhiFCueButOP1XFoo7
P82Gzb8vCt2OgsOet+6/m4aXYgbuj3vJGvrymxMJA+NMzROuSw5bf+gJQOLidosw
4ufkaLTXFU8LMf6gW5R98liAvKujjAftFtWyq58KJEqf3KxRQ94=
=mhvj
-----END PGP SIGNATURE-----
pgpFcerC5sqxo.pgp
Description: PGP signature
--- End Message ---
