1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109118: debian-security-support: Mark libsoup2.4, libsoup3 with li

    From Simon McVittie@21:1/5 to All on Fri Jul 11 19:20:01 2025
    Package: debian-security-support
    Severity: normal
    Tags: security
    X-Debbugs-Cc: Debian Security Team <[email protected]>, [email protected], [email protected]

    libsoup is a http client and server library mainly used by GNOME,
    originally for SOAP and similar RPC protocols but later extended with
    generic http functionality similar to e.g. libcurl. It provides both client-side and server-side functionality, as well as utility code that
    is shared by both sides.

    Its upstream developers updated its documentation in 3.6.1 to clarify
    that they do not recommend exposing SoupServer to untrusted http
    clients: <https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28>.
    If this advice is followed, it would mitigate many of libsoup's
    current CVEs.

    Conversely, the client side of libsoup *is* intended to be safe to use
    against untrusted servers, e.g. in epiphany-browser aka GNOME Web
    (although it is also affected by some of the current CVEs, which I am in
    the process of wading through).

    Should it perhaps be marked with something like this?

    libsoup2.4 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28
    libsoup3 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28

    (I'm sure you can think of better wording!)

    smcv

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Holger Levsen@21:1/5 to Simon McVittie on Fri Jul 11 22:10:01 2025
    On Fri, Jul 11, 2025 at 06:11:17PM +0100, Simon McVittie wrote:
    Should it perhaps be marked with something like this?
    libsoup2.4 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28
    libsoup3 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28

    if you say so...! :)

    (I'm sure you can think of better wording!)

    I think the wording is totally fine...


    --
    cheers,
    Holger

    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
    ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
    ⠈⠳⣄

    Whether's Taylor Swift endorsing Kamala Harris or Kanye West declaring his
    love for Hitler, musicians on both sides of the aisle have embraced controversial figures. (New York Times Pitchbot)

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmhxbWcACgkQCRq4Vgaa qhxURBAAucKcqFEzxCAjYP85yxoSfHVQDzIxnn3HBhFYLPJs4pOcSXB9FbjBLQlQ 5RKQ2Jm+EXtou3Krc5DjpaZikGWqPSYJWzkNTtOVvTAmVjkQD2BJ5oRG2hGV3b+z VxOTB4nfBRRCQElOJSRTyrTuq20+JObshsow5RjiF545y9YD3xpVb7CuuYvE3H48 J/0wR7vsOx98wwUHpRhEfvEGbHo/PObw76MTB/0LHb3SgUCaHyZwmJrtCmI2hAMX qLIj3RAnUEhoZKrPZHalVzQSkR9MwpCEbVIPcxf4Pevr3TjnRdsRjctETtHAzzz5 VGN7bRCIa8eA3XGnTYYfPfyDspx/pXihE5occDIV6y3oQxa4dUKvvxmkXkJGPyy3 aVGkofp2mOyEgMtuZ4AcXnqOVKGc4mGrMxjA263fV09OpOhr4c600PiabebVqMDC u5muh1RJWC+UxDef2NKC+N3NCjJOftTGMpMelVwOoRJu0snBRGA
  • From Holger Levsen@21:1/5 to Simon McVittie on Sat Jul 12 12:20:01 2025
    control: tags -1 pending
    # fixed locally in git just need to push

    On Fri, Jul 11, 2025 at 06:11:17PM +0100, Simon McVittie wrote:
    Should it perhaps be marked with something like this?
    libsoup2.4 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28

    so this should be for deb10-13

    libsoup3 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28

    while this is for deb12+13, correct?


    --
    cheers,
    Holger

    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
    ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
    ⠈⠳⣄

    Homosexual behavior has been found in over 1,500 species. Homophobia is found in only one.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmhyNCgACgkQCRq4Vgaa qhwzPhAArO6A6i7z4spneJAGfDNziG4PX8pCPOHJZGPYPGSmtf5GjCajozVV97eW 86BvTt8K/WKeFY7hMMiqNcPOQnbFFe2nL82jCEMC0HV7O3i7j0X3tNGFbxrbVobz 8MJMHVdSyEtKw40sIJroNPWZ2bgIUOyA2vWcBS/TxVSH9RrzDWgRWOM+EyA5dhwN dgmoxjswptSZHb67XOU4EdghTiC38qFs0fgt9yznzsa0BHNCtFQp5boNf6QARfGr S6s2/2NZ8tERVtraaWa5IRQjZ3vj65XB2b7BCL+OIVIexytRSEd4mpW8mCLUnOa4 AEtevohSEbsKTjbY2KjhRSVeIBcDPbBqzbIoPUbrQy7O//nqmNjyIUFqLDFpkQpk xW4AwsZTXD+KYaCB3O5Gbt2PxwvAWmTeRTQoGWwkpLlEaJ/aGr+e9HGy8jN3mgUZ E0XNNkTWhsWGk/9IwmI/qknv/TPIjzXCjLYJD+Xp2KGfcpwzRFGZQPg+95EbqMNu KfoyRRf9U9VzcwI8kX+hRuNSmqlJQLWhSCFle932VaFXJH8xsrADgFarrE+vEJrt ob7HXIKTmQcf/haICNYLj
  • From Simon McVittie@21:1/5 to Holger Levsen on Sat Jul 12 13:30:01 2025
    On Sat, 12 Jul 2025 at 10:08:40 +0000, Holger Levsen wrote:
    On Fri, Jul 11, 2025 at 06:11:17PM +0100, Simon McVittie wrote:
    libsoup2.4 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28

    so this should be for deb10-13

    If Debian 10 is the oldest suite tracked by d-s-s then yes. If d-s-s
    tracks Debian 9 or older then the same would apply there too.

    libsoup3 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28

    while this is for deb12+13, correct?

    Yes. The limited support is equally applicable to all versions of
    libsoup in all suites, but Debian 12 seems to have been our oldest
    release that included libsoup3.

    I'm hoping we can remove libsoup2.4 altogether during the forky cycle (#1056125).

    smcv

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Holger Levsen@21:1/5 to Simon McVittie on Sat Jul 12 14:30:01 2025
    On Sat, Jul 12, 2025 at 12:21:53PM +0100, Simon McVittie wrote:
    If Debian 10 is the oldest suite tracked by d-s-s then yes. If d-s-s tracks Debian 9 or older then the same would apply there too.

    ok, thanks.

    libsoup3 limited Only supported as a client, not as a server: see https://gitlab.gnome.org/GNOME/libsoup/-/commit/2a9d8ecc45bb814f6a81b1241e6c0c55d632aa28

    while this is for deb12+13, correct?

    Yes. The limited support is equally applicable to all versions of libsoup in all suites, but Debian 12 seems to have been our oldest release that
    included libsoup3.

    ok, thanks.

    I've updated security-support.deb10-13 in the master branch and confirmed with #debian-elts that d-s-s is not updated for elts.

    I'm hoping we can remove libsoup2.4 altogether during the forky cycle (#1056125).

    sounds good to me!


    --
    cheers,
    Holger

    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
    ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
    ⠈⠳⣄

    Historians have a word for Germans who joined the Nazi party, not because they hated Jews, but out of hope for restored patriotism, or a sense of economic anxiety, or a hope to preserve their religious values, or dislike of their opponents, or raw political opportunism, or convenience, or ignorance, or greed.
    That word is "Nazi". Nobody cares about their motives anymore.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmhyVIQACgkQCRq4Vgaa qhyAShAAmUKFwgElcMSB9/RQkWEk08dkXy69+KdmLa2dA9nDUbgXMQJcFt2jkQNV DAo4A/60VllYxdeAt6KA6PVwBen4MAdtzWC2RSZx2JOgYoAL0oZY0asgVzk5i9Sd ALA+PC+KvBGhFpsP9Khp6W8j3UexGlk6R3gkX3ubbx1d80d8t2eUUgajq1qfnLEZ M3C082p7JbUaNdGrGIHNDWToFlsMZ98M8Hnanr2nt0Sie+0u0aq37YQVeGFABzHC owY71XxZzYk2gGfPIxt4JPi7RhcCYDk2buZGRNExAXCFRnjWN3O