Hi Simon, On Wed, May 14, 2025 at 03:03:24PM +0100, Simon McVittie wrote: > On Wed, 14 May 2025 at 11:45:47 +0100, Simon McVittie wrote: > > On Wed, 14 May 2025 at 10:02:32 +0000, Naaz, Syeda Shagufta wrote: > > > Could you please advise if I can proceed with proposing the patches for > > > Bookworm? > > > > Sure, please open a merge request - but you might need to coordinate > > with Sean, who seems to have work-in-progress for some of the other open > > CVEs. > > > > Someone who knows this package better than I do should check your > > proposed patches to make sure they make sense as a backport of the CVE > > fixes. > > https://salsa.debian.org/gnome-team/libsoup/-/merge_requests/4 > > Security team: Are you intending to issue a DSA for this, or is this > bookworm stable updates material? > > The bookworm stable updates queue is currently frozen for this weekend's > point release, so if this is intended to go via stable updates, someone will > need to ask permission from the stable release managers after reviewing the > changes. > > If we are doing either a stable update or a DSA, including a fix for at > least #1091502 would probably also be wise. > > It isn't clear to me whether bookworm libsoup2.4 is also vulnerable to > CVE-2025-32910/CVE-2025-32912 (#1103516), CVE-2025-32914 (#1103512), > CVE-2025-32909 (#1103517), CVE-2025-32906 (#1103521), CVE-2025-46420 > (#1104055). If it is, it probably makes sense to address some or all of > those in the same update, rather than issuing one update per CVE.
FWIW, we think none of the CVEs really warrant a DSA, so let's fix those batches of libsoup2.4 issues first in unstable, make sure they get into trixie and then let them reach bookworm via a point release (i.e. 12.12). Regards, Salvatore
