Opened 3 months ago
Closed 3 months ago
#20671 closed enhancement (fixed)
libsoup3-3.6.1
Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | elevated | Milestone: | 12.3 |
Component: | BOOK | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description ¶
New minor version
It looks like the currency scripts didn't pick this one up. It does have some security fixes in it:
On 11/9/24 10:45, Alan Coopersmith wrote: > https://gitlab.gnome.org/Teams/Releng/security/-/wikis/home lists four security > vulnerabilities reported against libsoup since June 2024, none of which have > CVE id's listed as being assigned. (For those not familiar with it, libsoup is > an HTTP client/server library for the GNOME desktop.) It appears that Mitre issued CVE id's for the first 3 of these yesterday: > 1) Request smuggling via stripping of null bytes from the ends of header names > https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 https://www.cve.org/CVERecord?id=CVE-2024-52530 > 2) headers: Be more robust against invalid input when parsing params > https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407 https://www.cve.org/CVERecord?id=CVE-2024-52531 > 3) Infinite loop while reading websocket data > https://gitlab.gnome.org/GNOME/libsoup/-/issues/391 https://www.cve.org/CVERecord?id=CVE-2024-52532
Our best bet is to wait until Saturday to do it once the new version is available alongside the rest of GNOME 47.2.
Change History (8)
comment:1 by , 3 months ago
Summary: | libsoup-3.6.0 (wait for 3.6.1 on 2024-11-23) (currency fix needed) → libsoup-3.6.0 (wait for 3.6.1 on 2024-11-23) |
---|
comment:2 by , 3 months ago
Summary: | libsoup-3.6.0 (wait for 3.6.1 on 2024-11-23) → libsoup3-3.6.0 (wait for 3.6.1 on 2024-11-23) |
---|
comment:3 by , 3 months ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
Summary: | libsoup3-3.6.0 (wait for 3.6.1 on 2024-11-23) → libsoup3-3.6.1 |
comment:4 by , 3 months ago
Milestone: | 99-Waiting → 12.3 |
---|
comment:5 by , 3 months ago
Changes in libsoup from 3.6.0 to 3.6.1:
- Fix
soup_uri_copy()
reading port as a long instead of an int - Fix possible NULL deref in
soup_uri_decode_data_uri()
- Fix possible overflow in
SoupContentSniffer
- Fix assertion in
soup_uri_decode_data_uri()
on URLs with a path starting with//
- headers: Be more robust against invalid input when parsing params
- websocket: Fix possibility of being stuck in a read loop
comment:6 by , 3 months ago
Release notes for 3.5.x to 3.6.0:
Changes in libsoup from 3.4.4 to 3.5.1:
- Add
SOUP_METHOD_PATCH
- websocket: Add
SoupWebsocketConnection:keepalive-pong-timeout
property - Increase maxmimum size of HTTP headers
- Fix
soup_uri_copy()
in Vala - Fix leak in
soup_message_new_from_encoded_form()
- multipart: Improve handling of messages missing termination
- logger: Fix request filter function being called with response user data
- logger: Fix response bodies never being logged if request bodies aren't
- logger: Add Soup-Host to logged headers for when Host is missing
- cookies: Fix incorrect logic in determining same-site cookies
- cookie-jar-db: Explicitly handle old databases lacking same-site column
- cookies: Limit the Max-Age to 1 year
Changes in libsoup from 3.5.1 to 3.5.2:
- Strictly forbid NUL bytes in headers
- Fix minor leaks
Changes in libsoup from 3.5.2 to 3.6.0:
- Allow HTTP/2 to be used with non-HTTP proxies
Note:
See TracTickets
for help on using tickets.
Currency has been fixed.