Debian Patches
Status for libsoup2.4/2.74.3-10.1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| skip-tls_interaction-test.patch | skip tls_interaction test This test is too unreliable on Debian architectures and this package is too critical to not get timely updates [smcv: Allow running it anyway, by setting an environment variable] |
Jeremy Bicha <jbicha@ubuntu.com> | yes | upstream | 2018-10-08 | |
| tests-Skip-tests-if-unable-to-start-Apache.patch | tests: Skip tests if unable to start Apache This is a workaround for Apache not always being able to bind to its hard-coded ports, which happens often enough to be a problem for Debian QA infrastructure, but not often enough to be able to debug it. |
Simon McVittie <smcv@debian.org> | yes | 2020-03-11 | ||
| Record-Apache-error-log-for-unit-tests-and-show-it-during.patch | Record Apache error log for unit tests and show it during teardown This helps to diagnose problems with the Apache-based tests. |
Simon McVittie <smcv@debian.org> | no | 2021-12-27 | ||
| Mark-XMLRPC-tests-as-flaky.patch | Mark XMLRPC tests as flaky They seem likely to fail during the PHP 8 transition, and don't seem to be amazingly reliable in general. |
Simon McVittie <smcv@debian.org> | not-needed | 2021-12-27 | ||
| CVE-2024-52530.patch | headers: Strictly don't allow NUL bytes In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem. (cherry picked from commit 04df03bc092ac20607f3e150936624d4f536e68b) |
Patrick Griffis <pgriffis@igalia.com> | no | 2024-07-08 | ||
| CVE-2024-52531-1.patch | Define GLIB_VERSION_MAX_ALLOWED and GLIB_VERSION_MIN_REQUIRED (cherry picked from commit 3c54033634ae537b52582900a7ba432c52ae8174) |
Patrick Griffis <pgriffis@igalia.com> | no | 2024-09-16 | ||
| CVE-2024-52531-2.patch | headers: Be more robust against invalid input when parsing params If you pass invalid input to a function such as soup_header_parse_param_list_strict() it can cause an overflow if it decodes the input to UTF-8. This should never happen with valid UTF-8 input which libsoup's client API ensures, however it's server API does not currently. (cherry picked from commit a35222dd0bfab2ac97c10e86b95f762456628283) |
Patrick Griffis <pgriffis@igalia.com> | no | 2024-08-27 | ||
| CVE-2024-52532-1.patch | websocket: process the frame as soon as we read data Otherwise we can enter in a read loop because we were not validating the data until the all the data was read. Fixes #391 (cherry picked from commit 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be) |
Ignacio Casal Quinteiro <qignacio@amazon.com> | no | 2024-09-11 | ||
| CVE-2024-52532-2.patch | websocket-test: disconnect error copy after the test ends Otherwise the server will have already sent a few more wrong bytes and the client will continue getting errors to copy but the error is already != NULL and it will assert (cherry picked from commit 29b96fab2512666d7241e46c98cc45b60b795c0c) |
Ignacio Casal Quinteiro <qignacio@amazon.com> | no | 2024-10-02 | ||
| CVE-2024-52532-3.patch | websocket-test: Disconnect error signal in another place This is the same change as commit 29b96fab "websocket-test: disconnect error copy after the test ends", and is done for the same reason, but replicating it into a different function. (cherry picked from commit 4c9e75c6676a37b6485620c332e568e1a3f530ff) |
Simon McVittie <smcv@debian.org> | no | 2024-11-13 | ||
| CVE-2025-2784-1.patch | [PATCH] sniffer: Fix potential overflow | Patrick Griffis <pgriffis@igalia.com> | no | 2025-02-05 | ||
| CVE-2025-2784-2.patch | [PATCH] sniffer: Add better coverage of skip_insignificant_space() | Patrick Griffis <pgriffis@igalia.com> | no | 2025-02-18 | ||
| CVE-2025-32050.patch | [PATCH] Fix using int instead of size_t for strcspn return | Patrick Griffis <pgriffis@igalia.com> | no | 2024-10-28 | ||
| CVE-2025-32052.patch | [PATCH] Fix heap buffer overflow in soup_content_sniffer_sniff | Patrick Griffis <pgriffis@igalia.com> | no | 2024-11-16 | ||
| CVE-2025-32053.patch | [PATCH] Fix heap buffer overflow in soup-content-sniffer.c:sniff_feed_or_html() | Ar Jun <pkillarjun@protonmail.com> | no | 2024-11-18 | ||
| Extend-test-cert-to-2049.patch | Extend test cert to 2049 used certtool -u \ --load-ca-privkey ./tests/test-key.pem \ --load-ca-certificate ./tests/test-cert.pem \ --load-certificate ./tests/test-cert.pem Without this patch, 3 tests failed in 2027 11/29 misc-test FAIL 0.67s (exit status 1) 21/29 server-test FAIL 0.12s (exit status 1) 25/29 timeout-test FAIL 4.08s (killed by signal 5 SIGTRAP) Background: As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future. The usual offset is +15 years, because that is how long I expect some software will be used in some places. This showed up failing tests in our package build. See https://reproducible-builds.org/ for why this matters. (cherry picked from commit 38a65f080a3168e8af78bdd3e4928debeea2dbd8) |
"Bernhard M. Wiedemann" <bwiedemann@suse.de> | no | 2021-02-18 | ||
| CVE-2025-32906-1.patch | headers: Handle parsing edge case This version number is specifically crafted to pass sanity checks allowing it to go one byte out of bounds. (cherry picked from commit 1f509f31b6f8420a3661c3f990424ab7b9164931) |
Patrick Griffis <pgriffis@igalia.com> | no | 2025-02-11 | ||
| CVE-2025-32906-2.patch | headers: Handle parsing only newlines Closes #404 Closes #407 (cherry picked from commit af5b9a4a3945c52b940d5ac181ef51bb12011f1f) |
Patrick Griffis <pgriffis@igalia.com> | no | 2025-02-12 | ||
| CVE-2025-32909.patch | content-sniffer: Handle sniffing resource shorter than 4 bytes (cherry picked from commit ba4c3a6f988beff59e45801ab36067293d24ce92) |
Patrick Griffis <pgriffis@igalia.com> | no | 2025-01-08 | ||
| CVE-2025-32910-1.patch | auth-digest: Handle missing realm in authenticate header (cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe) |
Patrick Griffis <pgriffis@igalia.com> | no | 2024-12-08 | ||
| CVE-2025-32910-2.patch | auth-digest: Handle missing nonce (cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a) |
Patrick Griffis <pgriffis@igalia.com> | no | 2024-12-26 | ||
| CVE-2025-32910-3.patch | auth-digest: Fix leak (cherry picked from commit ea16eeacb052e423eb5c3b0b705e5eab34b13832) |
Patrick Griffis <pgriffis@igalia.com> | no | 2024-12-27 | ||
| CVE-2025-32910-Backport-auth-tests.patch | Backport auth tests for CVE-2025-32910 Forward-ported from bullseye-security. |
Andreas Henriksson <andreas@fatal.se> | no | 2025-04-26 | ||
| CVE-2025-32911-1.patch | soup_message_headers_get_content_disposition: Fix NULL deref (cherry picked from commit 7b4ef0e004ece3a308ccfaa714c284f4c96ade34) |
Patrick Griffis <pgriffis@igalia.com> | no | 2024-12-27 | ||
| CVE-2025-32911-2.patch | soup_message_headers_get_content_disposition: strdup truncated filenames This table frees the strings it contains. (cherry picked from commit f4a761fb66512fff59798765e8ac5b9e57dceef0) |
Patrick Griffis <pgriffis@igalia.com> | no | 2024-12-27 | ||
| CVE-2025-32912-1.patch | auth-digest: Handle missing nonce (cherry picked from commit cd077513f267e43ce4b659eb18a1734d8a369992) |
Patrick Griffis <pgriffis@igalia.com> | no | 2025-02-05 | ||
| CVE-2025-32912-2.patch | digest-auth: Handle NULL nonce `contains` only handles a missing nonce, `lookup` handles both missing and empty. (cherry picked from commit 910ebdcd3dd82386717a201c13c834f3a63eed7f) |
Patrick Griffis <pgriffis@igalia.com> | no | 2025-02-08 | ||
| CVE-2025-32914.patch | multipart: Fix read out of buffer bounds under soup_multipart_new_from_message() This is CVE-2025-32914, special crafted input can cause read out of buffer bounds of the body argument. Closes #436 (cherry picked from commit 5bfcf8157597f2d327050114fb37ff600004dbcf) Tests backporting forward-ported from bullseye work by Andreas Henriksson. |
Milan Crha <mcrha@redhat.com> | no | 2025-04-15 | ||
| CVE-2025-46420.patch | soup_header_parse_quality_list: Fix leak When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings. (cherry picked from commit c9083869ec2a3037e6df4bd86b45c419ba295f8e) |
Patrick Griffis <pgriffis@igalia.com> | no | 2024-12-26 | ||
| CVE-2025-46420_backport_tests.patch | Backport tests for CVE-2025-46420 | Sean Whitton <spwhitton@spwhitton.name> | no | 2025-05-03 |
All known versions for source package 'libsoup2.4'
- 2.74.3-10.1 (trixie, sid)
- 2.74.3-1+deb12u1 (bookworm)