Debian Patches

Status for libsoup2.4/2.74.3-1+deb12u1

Patch Description Author Forwarded Bugs Origin Last update
skip-tls_interaction-test.patch skip tls_interaction test
This test is too unreliable on Debian architectures
and this package is too critical to not get timely updates

[smcv: Allow running it anyway, by setting an environment variable]
Jeremy Bicha <jbicha@ubuntu.com> yes upstream 2018-10-08
tests-Skip-tests-if-unable-to-start-Apache.patch tests: Skip tests if unable to start Apache
This is a workaround for Apache not always being able to bind to its
hard-coded ports, which happens often enough to be a problem for Debian
QA infrastructure, but not often enough to be able to debug it.
Simon McVittie <smcv@debian.org> yes 2020-03-11
Record-Apache-error-log-for-unit-tests-and-show-it-during.patch Record Apache error log for unit tests and show it during teardown
This helps to diagnose problems with the Apache-based tests.
Simon McVittie <smcv@debian.org> no 2021-12-27
Mark-XMLRPC-tests-as-flaky.patch Mark XMLRPC tests as flaky
They seem likely to fail during the PHP 8 transition, and don't seem to
be amazingly reliable in general.
Simon McVittie <smcv@debian.org> not-needed 2021-12-27
CVE-2024-52530.patch headers: Strictly don't allow NUL bytes
In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.

(cherry picked from commit 04df03bc092ac20607f3e150936624d4f536e68b)
Patrick Griffis <pgriffis@igalia.com> no 2024-07-08
CVE-2024-52531-1.patch Define GLIB_VERSION_MAX_ALLOWED and GLIB_VERSION_MIN_REQUIRED
(cherry picked from commit 3c54033634ae537b52582900a7ba432c52ae8174)
Patrick Griffis <pgriffis@igalia.com> no 2024-09-16
CVE-2024-52531-2.patch headers: Be more robust against invalid input when parsing params
If you pass invalid input to a function such as soup_header_parse_param_list_strict()
it can cause an overflow if it decodes the input to UTF-8.

This should never happen with valid UTF-8 input which libsoup's client API
ensures, however it's server API does not currently.

(cherry picked from commit a35222dd0bfab2ac97c10e86b95f762456628283)
Patrick Griffis <pgriffis@igalia.com> no 2024-08-27
CVE-2024-52532-1.patch websocket: process the frame as soon as we read data
Otherwise we can enter in a read loop because we were not
validating the data until the all the data was read.

Fixes #391

(cherry picked from commit 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be)
Ignacio Casal Quinteiro <qignacio@amazon.com> no 2024-09-11
CVE-2024-52532-2.patch websocket-test: disconnect error copy after the test ends
Otherwise the server will have already sent a few more wrong
bytes and the client will continue getting errors to copy
but the error is already != NULL and it will assert

(cherry picked from commit 29b96fab2512666d7241e46c98cc45b60b795c0c)
Ignacio Casal Quinteiro <qignacio@amazon.com> no 2024-10-02
CVE-2024-52532-3.patch websocket-test: Disconnect error signal in another place
This is the same change as commit 29b96fab "websocket-test: disconnect
error copy after the test ends", and is done for the same reason, but
replicating it into a different function.

(cherry picked from commit 4c9e75c6676a37b6485620c332e568e1a3f530ff)
Simon McVittie <smcv@debian.org> no 2024-11-13

All known versions for source package 'libsoup2.4'

Links