Opened 3 months ago

Closed 3 months ago

#20671 closed enhancement (fixed)

libsoup3-3.6.1

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New minor version

It looks like the currency scripts didn't pick this one up. It does have some security fixes in it:

On 11/9/24 10:45, Alan Coopersmith wrote:
> https://gitlab.gnome.org/Teams/Releng/security/-/wikis/home lists four security
> vulnerabilities reported against libsoup since June 2024, none of which have
> CVE id's listed as being assigned.  (For those not familiar with it, libsoup is
> an HTTP client/server library for the GNOME desktop.)

It appears that Mitre issued CVE id's for the first 3 of these yesterday:

> 1) Request smuggling via stripping of null bytes from the ends of header names
>     https://gitlab.gnome.org/GNOME/libsoup/-/issues/377

https://www.cve.org/CVERecord?id=CVE-2024-52530

> 2) headers: Be more robust against invalid input when parsing params
>     https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407

https://www.cve.org/CVERecord?id=CVE-2024-52531

> 3) Infinite loop while reading websocket data
>     https://gitlab.gnome.org/GNOME/libsoup/-/issues/391

https://www.cve.org/CVERecord?id=CVE-2024-52532

Our best bet is to wait until Saturday to do it once the new version is available alongside the rest of GNOME 47.2.

Change History (8)

comment:1 by Bruce Dubbs, 3 months ago

Summary: libsoup-3.6.0 (wait for 3.6.1 on 2024-11-23) (currency fix needed)libsoup-3.6.0 (wait for 3.6.1 on 2024-11-23)

Currency has been fixed.

comment:2 by Xi Ruoyao, 3 months ago

Summary: libsoup-3.6.0 (wait for 3.6.1 on 2024-11-23)libsoup3-3.6.0 (wait for 3.6.1 on 2024-11-23)

comment:3 by Douglas R. Reno, 3 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned
Summary: libsoup3-3.6.0 (wait for 3.6.1 on 2024-11-23)libsoup3-3.6.1

comment:4 by Douglas R. Reno, 3 months ago

Milestone: 99-Waiting12.3

comment:5 by Douglas R. Reno, 3 months ago

Changes in libsoup from 3.6.0 to 3.6.1:

  • Fix soup_uri_copy() reading port as a long instead of an int
  • Fix possible NULL deref in soup_uri_decode_data_uri()
  • Fix possible overflow in SoupContentSniffer
  • Fix assertion in soup_uri_decode_data_uri() on URLs with a path starting with //
  • headers: Be more robust against invalid input when parsing params
  • websocket: Fix possibility of being stuck in a read loop

comment:6 by Douglas R. Reno, 3 months ago

Release notes for 3.5.x to 3.6.0:

Changes in libsoup from 3.4.4 to 3.5.1:

  • Add SOUP_METHOD_PATCH
  • websocket: Add SoupWebsocketConnection:keepalive-pong-timeout property
  • Increase maxmimum size of HTTP headers
  • Fix soup_uri_copy() in Vala
  • Fix leak in soup_message_new_from_encoded_form()
  • multipart: Improve handling of messages missing termination
  • logger: Fix request filter function being called with response user data
  • logger: Fix response bodies never being logged if request bodies aren't
  • logger: Add Soup-Host to logged headers for when Host is missing
  • cookies: Fix incorrect logic in determining same-site cookies
  • cookie-jar-db: Explicitly handle old databases lacking same-site column
  • cookies: Limit the Max-Age to 1 year

Changes in libsoup from 3.5.1 to 3.5.2:

  • Strictly forbid NUL bytes in headers
  • Fix minor leaks

Changes in libsoup from 3.5.2 to 3.6.0:

  • Allow HTTP/2 to be used with non-HTTP proxies

comment:8 by Douglas R. Reno, 3 months ago

Resolution: fixed
Status: assignedclosed

SA-12.2-047 issued

Note: See TracTickets for help on using tickets.