Accepted libsoup2.4 2.72.0-2+deb11u3 (source) into oldoldstable-security

Tue, 09 Dec 2025 09:48:37 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 09 Dec 2025 16:11:34 +0100
Source: libsoup2.4
Architecture: source
Version: 2.72.0-2+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian GNOME Maintainers 
<[email protected]>
Changed-By: Andreas Henriksson <[email protected]>
Closes: 1106325 1106337 1106375 1107757
Changes:
 libsoup2.4 (2.72.0-2+deb11u3) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
   * Backport upstream fixes for:
   + CVE-2025-4945: integer overflow in cookie parsing.
     A flaw was found in the cookie parsing logic of the libsoup HTTP
     library, used in GNOME applications and other software. The
     vulnerability arises when processing the expiration date of cookies,
     where a specially crafted value can trigger an integer overflow. This
     may result in undefined behavior, allowing an attacker to bypass cookie
     expiration logic, causing persistent or unintended cookie behavior. The
     issue stems from improper validation of large integer inputs during date
     arithmetic operations within the cookie parsing routines.
     (Closes: #1106375)
   + CVE-2025-4476: crash in soup_auth_digest_get_protection_space.
     A denial-of-service vulnerability has been identified in the libsoup
     HTTP client library. This flaw can be triggered when a libsoup client
     receives a 401 (Unauthorized) HTTP response containing a specifically
     crafted domain parameter within the WWW-Authenticate header. Processing
     this malformed header can lead to a crash of the client application
     using libsoup. An attacker could exploit this by setting up a malicious
     HTTP server. If a user's application using the vulnerable libsoup
     library connects to this malicious server, it could result in a
     denial-of-service. Successful exploitation requires tricking a user's
     client application into connecting to the attacker's malicious server.
     (Closes: #1107757)
   + CVE-2025-4948: verify boundary limits for multipart body.
     A flaw was found in the soup_multipart_new_from_message() function of
     the libsoup HTTP library, which is commonly used by GNOME and other
     applications to handle web communications. The issue occurs when the
     library processes specially crafted multipart messages. Due to improper
     validation, an internal calculation can go wrong, leading to an integer
     underflow. This can cause the program to access invalid memory and
     crash. As a result, any application or server using libsoup could be
     forced to exit unexpectedly, creating a denial-of-service (DoS) risk.
     (Closes: #1106337)
   + CVE-2025-4969: verify array bounds before accessing.
     A vulnerability was found in the libsoup package. This flaw stems from
     its failure to correctly verify the termination of multipart HTTP
     messages. This can allow a remote attacker to send a specially crafted
     multipart HTTP body, causing the libsoup-consuming server to read beyond
     its allocated memory boundaries (out-of-bounds read).
     (Closes: #1106325)
Checksums-Sha1:
 6e6fde47ee9a7df0a3eb5c752647b35a79e07488 3208 libsoup2.4_2.72.0-2+deb11u3.dsc
 6aaed6b49b13e287b7c3bba546ba49fec4ea72a5 1477940 libsoup2.4_2.72.0.orig.tar.xz
 81d160ae6331d2304453f69fafbb2aac470f521e 47312 
libsoup2.4_2.72.0-2+deb11u3.debian.tar.xz
 51241da09c0e217d273a835fe565be064927a531 10492 
libsoup2.4_2.72.0-2+deb11u3_source.buildinfo
Checksums-Sha256:
 ef45a1060217b726e4829c999a14d93ebd9bc2b0c76ce79c37be804c1aec33fa 3208 
libsoup2.4_2.72.0-2+deb11u3.dsc
 170c3f8446b0f65f8e4b93603349172b1085fb8917c181d10962f02bb85f5387 1477940 
libsoup2.4_2.72.0.orig.tar.xz
 94e879007c7d71fe9524377544b90d971051d18e9563f4a318f7a847869a8850 47312 
libsoup2.4_2.72.0-2+deb11u3.debian.tar.xz
 502a15f17553ebc0d8ccab1966b2eec91421e33d8c799816b366d12618d0cb7d 10492 
libsoup2.4_2.72.0-2+deb11u3_source.buildinfo
Files:
 6111e7cb141c31822efd7c5523acfcae 3208 devel optional 
libsoup2.4_2.72.0-2+deb11u3.dsc
 859380b76b51fb55d720daea3c76c945 1477940 devel optional 
libsoup2.4_2.72.0.orig.tar.xz
 b84e56f581ad19a8845ade2b8146d015 47312 devel optional 
libsoup2.4_2.72.0-2+deb11u3.debian.tar.xz
 78bc3d94da8088c241f2634664082a91 10492 devel optional 
libsoup2.4_2.72.0-2+deb11u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmk4WSQACgkQC8R9xk0T
UwYC6g/9GtsRMdul14PaZk4tAAIOxrOOSxB6uKS/o8BAGKmC1fv893qoQ3B5ISNM
0QiEaSsgL5qWyQjLmAWo69HQSOzMKJt/x1p8SJIhfZzpMDIHudC//dfFa1isF1H1
FVuWIH+yUZpVZFOIwvZNjPP7b9cz46zVkajxxL4+igBH20Tv1zxmOVjBhWJAg5c3
IWX6+CjlwFTMGIyEQ3RfIu7QhpmNdugB9hAyKlVkQtUBm0/ngr3+tOQf5D2gD2Qx
rBLhyCpG5my+sEsjO6FsXH8RZUoLn2Wa+hXdNP+tbs1bBeCrPtiZMAjqF+81BVD3
8jwC7sm9ZlOJ7lSYAo0UJ7jcRR4OdYyy68hJMddkAccIvrQkx3IakMnHoH+VsOQ1
hyx8GdPKrmHIXBUen1i0AV+4PZ9GkIkk0WuvxXk5Ben981c+6fewzjlfQh0Xekgr
2vZeEVDnemDpA6C6d3Zbbww/rvtB71ta4h4Eb13bUVV8RJd3qx6P++vOllgpgMGC
Tp/RWNEC6RhDz10SU3EffXhBLpN+DJmPUL7ECch5C7sxegIWkoVUlq4JrJM5NIHZ
+S6RyDs7P8eOTkPXk0/SnaYwI5JWFGdKkRsCgsTuF1z9TUnbohfY+1JiAkAWdGf5
8pEzHwCsW/3xYcUe9qbseBnkaCxj9mBBK+X+rRjOdzemtPN6jpI=
=r4s3
-----END PGP SIGNATURE-----

Attachment: pgpw1fg1fBXLb.pgp
Description: PGP signature

Reply via email to