Your message dated Fri, 23 Jan 2026 17:49:16 +0000
with message-id <[email protected]>
and subject line Bug#1122667: fixed in libsoup3 3.6.5-7
has caused the Debian Bug report #1122667,
regarding libsoup3: CVE-2025-14523
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122667
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsoup3
Version: 3.6.5-5
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libsoup/-/issues/472
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libsoup3.
CVE-2025-14523[0]:
| A flaw in libsoup’s HTTP header handling allows multiple Host:
| headers in a request and returns the last occurrence for server-side
| processing. Common front proxies often honor the first Host: header,
| so this mismatch can cause vhost confusion where a proxy routes a
| request to one backend but the backend interprets it as destined for
| another host. This discrepancy enables request-smuggling style
| attacks, cache poisoning, or bypassing host-based access controls
| when an attacker supplies duplicate Host headers.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-14523
https://www.cve.org/CVERecord?id=CVE-2025-14523
[1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/472
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsoup3
Source-Version: 3.6.5-7
Done: Jeremy Bícha <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libsoup3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <[email protected]> (supplier of updated libsoup3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 23 Jan 2026 12:34:38 -0500
Source: libsoup3
Built-For-Profiles: noudeb
Architecture: source
Version: 3.6.5-7
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Jeremy Bícha <[email protected]>
Closes: 1122667
Launchpad-Bugs-Fixed: 2138374
Changes:
libsoup3 (3.6.5-7) unstable; urgency=high
.
* SECURITY UPDATE: Cherry-pick upstream fix to reject duplicate Host headers
- CVE-2025-14523 (Closes: #1122667)
* Add patch to fix tests after changes to the public suffix list
(LP: #2138374)
* Bump Standards Version to 4.7.3
Checksums-Sha1:
beb78d58897c82075929a416f5891ba17fbf4f82 2957 libsoup3_3.6.5-7.dsc
b8dbd928e5f0f339b8013b0520b514a653afb151 46156 libsoup3_3.6.5-7.debian.tar.xz
8932f982f6108d61020663efa466c1f1116e32df 13401
libsoup3_3.6.5-7_source.buildinfo
Checksums-Sha256:
ca29d5cd1e065ce3d5183cd636c9a17280828a063c3ac661c3882f487c8187ed 2957
libsoup3_3.6.5-7.dsc
ecb422cd22330f5864ca759fcc75ce85834c762d0a93fc520d87e107d2154368 46156
libsoup3_3.6.5-7.debian.tar.xz
1e2a164d9be2722b52fa748511762f88447415cb6e03d6e00d3965e8d484bfb8 13401
libsoup3_3.6.5-7_source.buildinfo
Files:
02f17026e18a97d27705dc14bf0adc49 2957 devel optional libsoup3_3.6.5-7.dsc
25606dd70ab5deffcf993a81bb2165fb 46156 devel optional
libsoup3_3.6.5-7.debian.tar.xz
6beced2b881795e847ebe854b56edae0 13401 devel optional
libsoup3_3.6.5-7_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmlzsncACgkQ5mx3Wuv+
bH3mXQ/9EVxIU76413nStaPD1mn4EWFAOMv/da4ing0lzyt3FyRgoN3InJP/asFp
gwf+41KFKax8df+YNiiJytF1NeTn1AbhiwGSplbVzkdZWAy4+RBWAmgRwLWS0qlm
x7DqM0aNma8eMxHUXkCLYjit6FoP521E3fQ63zevPqxFwqjycamdRGegKeQbFZq1
oNDf2DF+8N4bxu8oUQf8adoZpzd9p0p1ghC6XJGfYJ768PFwVWaCrTchbul0Vm8q
xq9o0KQ/dUthXEr6V1/Snt2+aeHxVZv1MEzPzw5v3kMCqYV1lkm1uDCcsQoTo2ny
3CzpY+ooNMMPARt/brviySp2hC3/TCd9rPdqxQgbLoq6bP9nCjb8SIoMNAHsNq8q
eBW6XKVyLE2Etm7OIUpKrN4j3Y0wbkig7mGMcNwvcfSALSzoC7heMVzKriWmgxP+
q9RSIN66zOUmtFSZxPgPrFJyPpGAx8p7Se9qRDGGbUjbqjmombu01arQrcxKnQgx
DK/YLNmP9gMjF674yne4fKHzWTCyV5uR5WvEfVdqxT3GvkmnMsYwdyYyHtrD0jXP
pagbjh7IOkDN6Sf+z/12HRjFLGBm4AVqSJpOMxoPq6xCxhOB17FVvPZHRhoQISQa
FIfotTJvCA7f6vPSRliNil1wfUseEFtuE6/AJAuAcKAh9TZMuXE=
=r0jd
-----END PGP SIGNATURE-----
pgpdhXTtHVJYW.pgp
Description: PGP signature
--- End Message ---
