Debian Quality Assurance

libsoup2.4 (2.74.3-10.1) [PTS] [DDPO]

COMMITS: VCS has seen 3 commits since the debian/2.74.3-10.1 tag

• Git: https://salsa.debian.org/gnome-team/libsoup.git
• JSON
  Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
  For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
  The next upload will reset the information from the source package headers.
• Branch: debian/latest
• Path: debian/changelog
• Repo size: 3567616
• Browser: https://salsa.debian.org/gnome-team/libsoup
• Last scan: 2025-09-11 13:37:03+00
• Next scan: 2025-09-18 00:21:00+00
• CI pipeline status: failed
• Debian changelog in Git:

  libsoup2.4 (2.74.3-10.1) unstable; urgency=high
  
    * Non-maintainer upload.
    * CVE-2025-32906:
      soup_headers_parse_request() function may be vulnerable to an
      out-of-bound read. This flaw allows a malicious user to use a specially
      crafted HTTP request to crash the HTTP server (Closes: #1103521).
    * CVE-2025-32909:
      SoupContentSniffer may be vulnerable to a NULL pointer dereference in
      the sniff_mp4 function. The HTTP server may cause the libsoup client to
      crash (Closes: #1103517).
    * CVE-2025-32910:
      soup_auth_digest_authenticate() is vulnerable to a NULL pointer
      dereference. This issue may cause the libsoup client to crash
      (Closes: #1103516).
    * CVE-2025-32911:
      use-after-free memory issue not on the heap in the
      soup_message_headers_get_content_disposition() function. This flaw
      allows a malicious HTTP client to cause memory corruption in the libsoup
      server (Closes: #1103515).
    * CVE-2025-32913:
      the soup_message_headers_get_content_disposition() function is
      vulnerable to a NULL pointer dereference. This flaw allows a malicious
      HTTP peer to crash a libsoup client or server that uses this function.
      (same fix for both CVE-2025-32911 and CVE-2025-32913)
    * CVE-2025-32912:
      SoupAuthDigest is vulnerable to a NULL pointer dereference. The HTTP
      server may cause the libsoup client to crash.
    * CVE-2025-32914:
      the soup_multipart_new_from_message() function is vulnerable to an
      out-of-bounds read. This flaw allows a malicious HTTP client to induce the
      libsoup server to read out of bounds (Closes: #1103512).
    * CVE-2025-46420:
      the soup_header_parse_quality_list() function is vulnerable to memory
      leaks when parsing a quality list that contains elements with all zeroes
      (Closes: #1104055).
  
   -- Sean Whitton <spwhitton@spwhitton.name>  Sat, 03 May 2025 17:11:55 +0800

• This branch is 3 commits ahead of tag debian/2.74.3-10.1
• Git log:

  commit 538837f52872eac70fd7b220d00750d8ca92f459
  Author: Sean Whitton <spwhitton@spwhitton.name>
  Date:   Tue May 20 11:03:03 2025 +0100
  
      Revert "Move broken tests out of CVE-2025-46421.patch"
      
      This reverts commit fdc596f7b3a04603f30b15eea08e628ea9060843.
      
      This commit was broken.
  
  commit fdc596f7b3a04603f30b15eea08e628ea9060843
  Author: Sean Whitton <spwhitton@spwhitton.name>
  Date:   Tue May 20 11:01:30 2025 +0100
  
      Move broken tests out of CVE-2025-46421.patch
  
  commit 3ce52af407456c2246e795cd3692a4531daf8ebc
  Author: Sean Whitton <spwhitton@spwhitton.name>
  Date:   Tue May 20 11:00:52 2025 +0100
  
      Add WIP manual test for CVE-2025-46421

Package: JSON [Main page]

---

Back to the Debian Project homepage.

---