Debian Patches
Status for libsoup3/3.6.5-9
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| soup-init-Use-libdl-instead-of-gmodule-in-soup2_is_loaded.patch | soup-init: Use libdl instead of gmodule in `soup2_is_loaded` check Calling `g_module_open` in the library constructor can cause deadlocks when libsoup is used with other libraries that also contend for GLib mutexes. `dlopen` should be used instead. |
Fabio Manganiello <fabio@manganiello.tech> | yes | debian upstream | https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/475 | 2025-07-15 |
| skip-tls_interaction-test.patch | skip tls_interaction test This test is too unreliable on Debian architectures and this package is too critical to not get timely updates [smcv: Allow running it anyway, by setting an environment variable] |
Jeremy Bicha <jbicha@ubuntu.com> | yes | upstream | 2018-10-08 | |
| Record-Apache-error-log-for-unit-tests-and-show-it-during.patch | Record Apache error log for unit tests and show it during teardown This helps to diagnose problems with the Apache-based tests. |
Simon McVittie <smcv@debian.org> | no | 2021-12-27 | ||
| test-utils-Add-more-debug-for-starting-stopping-Apache.patch | test-utils: Add more debug for starting/stopping Apache | Simon McVittie <smcv@debian.org> | no | 2022-03-16 | ||
| tests-extend-timeout-for-http2-body-stream-test.patch | tests: extend timeout for http2-body-stream-test https://bugs.debian.org/1018709 |
Eric Long <i@hack3r.moe> | no | 2022-08-29 | ||
| multipart-Fix-read-out-of-buffer-bounds-under-soup_multip.patch | multipart: Fix read out of buffer bounds under soup_multipart_new_from_message() This is CVE-2025-32914, special crafted input can cause read out of buffer bounds of the body argument. |
Milan Crha <mcrha@redhat.com> | yes | debian upstream | upstream, 3.7.0, commit:5bfcf8157597f2d327050114fb37ff600004dbcf | 2025-04-15 |
| soup-server-http2-Check-validity-of-the-constructed-conne.patch | soup-server-http2: Check validity of the constructed connection URI The HTTP/2 pseudo-headers can contain invalid values, which the GUri rejects and returns NULL, but the soup-server did not check the validity and could abort the server itself later in the code. |
Milan Crha <mcrha@redhat.com> | yes | debian upstream | upstream, 3.7.0, commit:a792b23ab87cacbf4dd9462bf7b675fa678efbae | 2025-04-15 |
| soup-server-http2-Correct-check-of-the-validity-of-the-co.patch | soup-server-http2: Correct check of the validity of the constructed connection URI RFC 5740: the CONNECT has unset the "scheme" and "path", thus allow them unset. The commit a792b23ab87cacbf4dd9462bf7b675fa678efbae also missed to decrement the `io->in_callback` in the early returns. Related to #429 |
Milan Crha <mcrha@redhat.com> | yes | debian upstream | upstream, 3.7.0, commit:a792b23ab87cacbf4dd9462bf7b675fa678efbae | 2025-04-28 |
| auth-digest-fix-crash-in-soup_auth_digest_get_protection_.patch | auth-digest: fix crash in soup_auth_digest_get_protection_space() We need to validate the Domain parameter in the WWW-Authenticate header. Unfortunately this crash only occurs when listening on default ports 80 and 443, so there's no good way to test for this. The test would require running as root. |
Michael Catanzaro <mcatanzaro@redhat.com> | yes | debian upstream | upstream, 3.7.0, commit:e64c221f9c7d09b48b610c5626b3b8c400f0907c | 2025-05-08 |
| test-utils-flush-stdout-after-printing.patch | test-utils: flush stdout after printing test_printf() would be more useful if it were to actually guarantee that everything has printed; otherwise, it cannot be used to determine how far we've made it in a test before a hang. |
Michael Catanzaro <mcatanzaro@redhat.com> | no | upstream, 3.7.0, commit:3eec3d8b9b5d8ac1e202d02c715663a440e6a508 | 2025-04-30 | |
| test-utils-fix-deadlock-in-add_listener_in_thread.patch | test-utils: fix deadlock in add_listener_in_thread() The mutex is locked in the wrong place here. Hopefully fixes #379 |
Michael Catanzaro <mcatanzaro@redhat.com> | yes | upstream | upstream, 3.7.0, commit:3c0cee2cfddb9ba31b30421f2b3cdd3c5a255e99 | 2025-04-30 |
| tests-Treat-multithread-test-as-an-Apache-test.patch | tests: Treat multithread-test as an Apache test This test calls apache_init() to run Apache on a hard-coded port, which means it cannot coexist with other tests in this group. Don't allow it to parallelize with others. Maybe helps: #1035983 |
Simon McVittie <smcv@debian.org> | no | 2025-07-11 | ||
| soup-form-Fix-a-possible-memory-leak-in-soup_form_decode_.patch | soup-form: Fix a possible memory leak in soup_form_decode_multipart() The output variables can be set multiple times, when there are multiparts with the same name, thus first clear any previously value and only then assign a new value. |
Milan Crha <mcrha@redhat.com> | yes | upstream | upstream, 3.7.0, commit:66b5c5be947062df9caf7025b56ee1de32aee3ac | 2025-05-13 |
| soup-message-headers-Correct-merge-of-ranges.patch | soup-message-headers: Correct merge of ranges It had been skipping every second range, which generated an array of a lot of insane ranges, causing large memory usage by the server. |
Milan Crha <mcrha@redhat.com> | yes | debian upstream | upstream, 3.7.0, commit:9bb92f7a685e31e10e9e8221d0342280432ce836 | 2025-04-15 |
| server-mem-limit-test-Limit-memory-usage-only-when-not-bu.patch | server-mem-limit-test: Limit memory usage only when not built witha sanitizer A build with -Db_sanitize=address crashes with failed mmap(), which is done inside libasan. The test requires 20.0TB of virtual memory when running with the sanitizer, which is beyond unsigned integer limits and may not trigger the bug anyway. |
Milan Crha <mcrha@redhat.com> | yes | debian upstream | upstream, 3.7.0, commit:eeace39ec686094ff6a05a43e5fce06e9c37f376 | 2025-05-13 |
| websocket-test-Fix-two-memory-leaks.patch | websocket-test: Fix two memory leaks The errors can be emitted also when joining the thread, in some cases, thus disconnect the handlers to avoid memory leaks in such case. |
Milan Crha <mcrha@redhat.com> | no | upstream, 3.7.0, commit:a6df31d7a89298fcdc6da0373f16ca222d052061 | 2025-05-22 | |
| misc-test-Fix-two-memory-leaks.patch | misc-test: Fix two memory leaks It's tested it returned the data/object, but it was not freed. |
Milan Crha <mcrha@redhat.com> | no | upstream, 3.7.0, commit:83e26e9001b500cc09ae52cef258195303fe32da | 2025-05-22 | |
| http2-test-Fix-several-memory-leaks.patch | http2-test: Fix several memory leaks These were more or less obvious, but missed. |
Milan Crha <mcrha@redhat.com> | no | upstream, 3.7.0, commit:21a99b2a2c3bb7d5574499c92e31f9ed0de13fad | 2025-05-22 | |
| range-test-Fix-a-memory-leak.patch | range-test: Fix a memory leak The 'succeed' is an argument, set by the caller, which does not mean the 'body' cannot be set to some data. |
Milan Crha <mcrha@redhat.com> | no | upstream, 3.7.0, commit:1e90797e2575d8b27e0431c03df5a4cbd4713b76 | 2025-05-22 | |
| soup-multipart-Verify-boundary-limits-for-multipart-body.patch | soup-multipart: Verify boundary limits for multipart body It could happen that the boundary started at a place which resulted into a negative number, which in an unsigned integer is a very large value. Check the body size is not a negative value before setting it. |
Milan Crha <mcrha@redhat.com> | yes | debian upstream | upstream, 3.7.0, commit:f2f28afe0b3b2b3009ab67d6874457ec6bac70c0 | 2025-05-15 |
| soup-multipart-Verify-array-bounds-before-accessing-its-m.patch | soup-multipart: Verify array bounds before accessing its members The boundary could be at a place which, calculated, pointed before the beginning of the array. Check the bounds, to avoid read out of the array bounds. |
Milan Crha <mcrha@redhat.com> | yes | debian upstream | upstream, 3.7.0, commit:b5b4dd10d4810f0c87b4eaffe88504f06e502f33 | 2025-05-19 |
| soup-date-utils-Add-value-checks-for-date-time-parsing.patch | soup-date-utils: Add value checks for date/time parsing Reject date/time when it does not represent a valid value. |
Milan Crha <mcrha@redhat.com> | yes | debian upstream | upstream, 3.7.0, commit:8988379984e33dcc7d3aa58551db13e48755959f | 2025-05-15 |
| tests-Add-tests-for-date-time-including-timezone-validati.patch | tests: Add tests for date-time including timezone validation work These tests are built on top of earlier work in a related pull request. |
Brian Yurko <155515-byurko@users.noreply.gitlab.gnome.org> | yes | debian upstream | upstream, 3.7.0, commit:8988379984e33dcc7d3aa58551db13e48755959f | 2025-06-11 |
| tests-Gracefully-skip-test-if-a-large-memory-allocation-f.patch | tests: Gracefully skip test if a large memory allocation fails On resource-constrained 32-bit machines, it might not be possible to allocate 1G of buffer space. Catch this and skip the test that uses very large buffers, instead of having it fail. |
Simon McVittie <smcv@debian.org> | yes | 2025-08-25 | ||
| debian/docs-Remove-remotely-accessed-logo.patch | docs: Remove remotely accessed logo Remote images in local documentation are not ideal from a privacy point of view. |
Simon McVittie <smcv@debian.org> | not-needed | 2025-07-12 | ||
| CVE-2025-11021-1.patch | cookies: Avoid expires attribute if date is invalid According to CVE-2025-11021, we may get invalid on processing date string with timezone offset, this commit will ignore it. Closes #459 (cherry picked from commit 9e1a427d2f047439d0320defe1593e6352595788) |
Alynx Zhou <alynx.zhou@gmail.com> | no | upstream, after 3.6.5 | 2025-10-11 | |
| CVE-2025-11021-2.patch | server: null-check soup_date_time_to_string() Since 9e1a427d2f047439d0320defe1593e6352595788 this function can now fail. (cherry picked from commit 51665d6b87c6a0084d5acb7aeeefc591c66dc2cd) |
Michael Catanzaro <mcatanzaro@redhat.com> | no | upstream, after 3.6.5 | 2025-10-15 | |
| CVE-2025-12105.patch | fix 'heap-use-after-free' caused by 'finishing' queue item twice (cherry picked from commit 9ba1243a24e442fa5ec44684617a4480027da960) |
Eugene Mutavchi <Ievgen_Mutavchi@comcast.com> | no | upstream, after 3.6.5 | 2025-10-10 | |
| tld-test-update-after-changes-in-the-public-suffix-list.patch | tld-test: update after changes in the public suffix list "*.bd" is no longer in the public suffix list so let's use ".jm" instead https://github.com/publicsuffix/list/pull/2623 |
Jeremy BĂcha <jbicha@ubuntu.com> | yes | 2026-01-23 | ||
| CVE-2025-14523.patch | Reject duplicate Host headers RFC 9112 section 3.2 says: A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field line or a Host header field with an invalid field value. In addition to rejecting a duplicate header when parsing headers, also reject attempts to add the duplicate header using the soup_message_headers_append() API, and add tests for both cases. These checks will also apply to HTTP/2. I'm not sure whether this is actually desired or not, but the header processing code is not aware of which HTTP version is in use. (Note that while SoupMessageHeaders does not require the Host header to be present in an HTTP/1.1 request, SoupServer itself does. So we can't test the case of missing Host header via the header parsing test, but it really is enforced.) Fixes #472 (cherry picked from commit aecd8daadc110f8561fb2d6b2806a4cacf2e4c85) |
Michael Catanzaro <mcatanzaro@redhat.com> | no | upstream, after 3.6.5 | 2026-01-07 | |
| CVE-2026-0716-pre1.patch | websocket: do not accept messages frames after closing due to an error Closes #469 (cherry picked from commit 6a7976f3d95c44ff58c37249fd5cc84a5d1b0b44) |
Carlos Garcia Campos <cgarcia@igalia.com> | no | upstream, after 3.6.5 | 2026-01-30 | |
| CVE-2026-0716.patch | websocket: Fix out-of-bounds read in process_frame If the maximum incoming payload size is unset, then a malicious frame could cause an overflow when calculating the needed amount of data, leading to an out-of-bounds read later. This is CVE-2026-0716. Closes #476 (cherry picked from commit 6ff7ef0fd5fa4360bf99ec8322d95dd89a874770) |
Mike Gorse <mgorse@suse.com> | no | upstream, after 3.6.5 | 2026-02-02 | |
| CVE-2026-1467.patch | uri-utils: do host validation when checking if a GUri is valid Currently we only check if the host is not NULL and not empty, but it might contain invalid characters not allowed for a host name in a URL. This patch replaces the SOUP_URI_IS_VALID internal macro by a function that in addition to the existing checks, it also validates the host. Closes #488 |
Carlos Garcia Campos <cgarcia@igalia.com> | no | upstream, after 3.6.5 | 2026-01-22 | |
| CVE-2026-1536.patch | Always validate the headers value when coming from untrusted source Add trusted_value parameter to soup_message_headers_append_common() and soup_message_headers_replace_common() and check that the value is valid when FALSE is passed. Closes #486 |
Carlos Garcia Campos <cgarcia@igalia.com> | no | upstream, after 3.6.5 | 2026-01-23 | |
| CVE-2026-1539.patch | Also remove Proxy-Authorization header on cross origin redirect Closes #489 |
Carlos Garcia Campos <cgarcia@igalia.com> | no | upstream, after 3.6.5 | 2026-01-20 | |
| CVE-2026-1761.patch | multipart: check length of bytes read soup_filter_input_stream_read_until() We do make sure the read length is smaller than the buffer length when the boundary is not found, but we should do the same when the boundary is found. Spotted in #YWH-PGM9867-149 Closes #493 (cherry picked from commit cfa9d90d1a5c274233554a264c56551c13d6a6f0) |
Carlos Garcia Campos <cgarcia@igalia.com> | no | upstream, after 3.6.5 | 2026-01-19 | |
| CVE-2026-1801-pre1.patch | soup-body-input-stream: Correct chunked trailers end detection The `if` was always `true`, because the `metabuf` cannot be both values at the same time, thus at least one of the `strncmp` returned non-zero. Related to https://gitlab.gnome.org/GNOME/libsoup/-/issues/445 (cherry picked from commit 8a2e15c88512ae4517d2c2c887d39299725b22da) |
Milan Crha <mcrha@redhat.com> | no | upstream, after 3.6.5 | 2025-05-13 | |
| CVE-2026-1801.patch | Use CRLF as line boundary when parsing chunked enconding data Closes #481 (cherry picked from commit b9a1c0663ff8ab6e79715db4b35b54f560416ddd) |
Carlos Garcia Campos <cgarcia@igalia.com> | no | upstream, after 3.6.5 | 2026-01-29 | |
| CVE-2026-1760.patch | server: close the connection after responsing a request containing Content-Length and Transfer-Encoding Closes #475 (cherry picked from commit 6224df5a471e9040a99dd3dc2e91817a701b1bf6) |
Carlos Garcia Campos <cgarcia@igalia.com> | no | upstream, after 3.6.5 | 2026-01-29 |
All known versions for source package 'libsoup3'
- 3.6.5-9 (sid)
- 3.6.5-7 (forky)
- 3.6.5-3 (trixie)
- 3.2.3-0+deb12u2 (bookworm)