Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
Hello, On Sun 18 May 2025 at 09:03am -04, Jeremy Bícha wrote: > On Sat, May 17, 2025 at 5:12 AM Simon McVittie wrote: >> On Sat, 17 May 2025 at 09:29:56 +0100, Sean Whitton wrote: >> >Simon, I have generally been making MRs for my updates but it would seem >> >that I missed some of them. I would be grateful for gnome-team >> >membership so that I can be sure to push everything. >> >> I can't add you to the team - sorry, I thought I could, but I'd lost >> track of which groups I'm an Owner in. Instead I've added you to >> gnome-team/libsoup (which contains source package libsoup2.4) and >> gnome-team/libsoup3. If you'll be working on other GNOMEish libraries >> for LTS, for example GLib or GTK, I can add you to those too, or perhaps >> an Owner can give you access to the group as a whole. > > Sean, I added you as a "Developer" for the GNOME team. Ah, thanks. -- Sean Whitton signature.asc Description: PGP signature
Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
On Sat, May 17, 2025 at 5:12 AM Simon McVittie wrote: > On Sat, 17 May 2025 at 09:29:56 +0100, Sean Whitton wrote: > >Simon, I have generally been making MRs for my updates but it would seem > >that I missed some of them. I would be grateful for gnome-team > >membership so that I can be sure to push everything. > > I can't add you to the team - sorry, I thought I could, but I'd lost > track of which groups I'm an Owner in. Instead I've added you to > gnome-team/libsoup (which contains source package libsoup2.4) and > gnome-team/libsoup3. If you'll be working on other GNOMEish libraries > for LTS, for example GLib or GTK, I can add you to those too, or perhaps > an Owner can give you access to the group as a whole. Sean, I added you as a "Developer" for the GNOME team. Simon, let me know if you want to be an "Owner" for the GNOME team. I don't see it as implying any additional responsibility. Thank you, Jeremy Bícha
Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
Hello, On Sat 17 May 2025 at 10:08am +01, Simon McVittie wrote: > On Sat, 17 May 2025 at 09:29:56 +0100, Sean Whitton wrote: >>On Wed 14 May 2025 at 11:45am +01, Simon McVittie wrote: >>> >>> Sean, if you can, please push any subsequent work on libsoup2.4 to the >>> relevant branches at https://salsa.debian.org/gnome-team/libsoup at the time >>> that it's finalized/tagged/uploaded. (If you don't have access, I can add >>> you, >>> but I think DDs might have access to gnome-team repositories anyway?) >> >>Simon, I have generally been making MRs for my updates but it would seem >>that I missed some of them. I would be grateful for gnome-team >>membership so that I can be sure to push everything. > > I can't add you to the team - sorry, I thought I could, but I'd lost track of > which groups I'm an Owner in. Instead I've added you to gnome-team/libsoup > (which contains source package libsoup2.4) and gnome-team/libsoup3. If you'll > be working on other GNOMEish libraries for LTS, for example GLib or GTK, I can > add you to those too, or perhaps an Owner can give you access to the group as > a whole. > > If you have work-in-progress that you want to track, our convention is to push > branches in the wip/ namespace, like maybe wip/spwhitton/sometopic (or you can > push to a fork, either works). Merge requests also welcome, please mark them > as Draft if they aren't ready to land just yet. > > At the point where you're ready to upload, please push to the appropriate > branch - there's no point in having merge requests to review things that, from > the archive point of view, have already happened. Thanks, Simon! -- Sean Whitton signature.asc Description: PGP signature
Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
On Sat, 17 May 2025 at 09:29:56 +0100, Sean Whitton wrote: On Wed 14 May 2025 at 11:45am +01, Simon McVittie wrote: Sean, if you can, please push any subsequent work on libsoup2.4 to the relevant branches at https://salsa.debian.org/gnome-team/libsoup at the time that it's finalized/tagged/uploaded. (If you don't have access, I can add you, but I think DDs might have access to gnome-team repositories anyway?) Simon, I have generally been making MRs for my updates but it would seem that I missed some of them. I would be grateful for gnome-team membership so that I can be sure to push everything. I can't add you to the team - sorry, I thought I could, but I'd lost track of which groups I'm an Owner in. Instead I've added you to gnome-team/libsoup (which contains source package libsoup2.4) and gnome-team/libsoup3. If you'll be working on other GNOMEish libraries for LTS, for example GLib or GTK, I can add you to those too, or perhaps an Owner can give you access to the group as a whole. If you have work-in-progress that you want to track, our convention is to push branches in the wip/ namespace, like maybe wip/spwhitton/sometopic (or you can push to a fork, either works). Merge requests also welcome, please mark them as Draft if they aren't ready to land just yet. At the point where you're ready to upload, please push to the appropriate branch - there's no point in having merge requests to review things that, from the archive point of view, have already happened. Thanks, smcv
Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
Hello, On Wed 14 May 2025 at 11:45am +01, Simon McVittie wrote: > Please keep the subject line when replying to bug reports: package maintainers > will often see your email out-of-context among thousands of other messages, > and it's useful to have an idea of which package you're talking about! > > On Wed, 14 May 2025 at 10:02:32 +, Naaz, Syeda Shagufta wrote: >>I noticed that the changelog in the [2] Salsa Debian >>Bookworm branch does not match the one in the source code for [3] Debian 12 >>Bookworm. > > It looks as though Sean Whitton released fixes for some other CVEs but didn't > update the gnome-team git repository (or perhaps wasn't able to update the > gnome-team git repository). I've fetched the changes from > https://salsa.debian.org/lts-team/packages/libsoup and pushed them to the > gnome-team repository now, so the debian/bookworm branch should be up to date. > > Sean, if you can, please push any subsequent work on libsoup2.4 to the > relevant branches at https://salsa.debian.org/gnome-team/libsoup at the time > that it's finalized/tagged/uploaded. (If you don't have access, I can add you, > but I think DDs might have access to gnome-team repositories anyway?) I do intend to do a proposed update for bookworm for everything fixed in sid. Syeda, I can review your MR at that point, thank you for submitting it. Simon, I have generally been making MRs for my updates but it would seem that I missed some of them. I would be grateful for gnome-team membership so that I can be sure to push everything. -- Sean Whitton signature.asc Description: PGP signature
Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
Hi Simon, On Wed, May 14, 2025 at 03:03:24PM +0100, Simon McVittie wrote: > On Wed, 14 May 2025 at 11:45:47 +0100, Simon McVittie wrote: > > On Wed, 14 May 2025 at 10:02:32 +, Naaz, Syeda Shagufta wrote: > > > Could you please advise if I can proceed with proposing the patches for > > > Bookworm? > > > > Sure, please open a merge request - but you might need to coordinate > > with Sean, who seems to have work-in-progress for some of the other open > > CVEs. > > > > Someone who knows this package better than I do should check your > > proposed patches to make sure they make sense as a backport of the CVE > > fixes. > > https://salsa.debian.org/gnome-team/libsoup/-/merge_requests/4 > > Security team: Are you intending to issue a DSA for this, or is this > bookworm stable updates material? > > The bookworm stable updates queue is currently frozen for this weekend's > point release, so if this is intended to go via stable updates, someone will > need to ask permission from the stable release managers after reviewing the > changes. > > If we are doing either a stable update or a DSA, including a fix for at > least #1091502 would probably also be wise. > > It isn't clear to me whether bookworm libsoup2.4 is also vulnerable to > CVE-2025-32910/CVE-2025-32912 (#1103516), CVE-2025-32914 (#1103512), > CVE-2025-32909 (#1103517), CVE-2025-32906 (#1103521), CVE-2025-46420 > (#1104055). If it is, it probably makes sense to address some or all of > those in the same update, rather than issuing one update per CVE. FWIW, we think none of the CVEs really warrant a DSA, so let's fix those batches of libsoup2.4 issues first in unstable, make sure they get into trixie and then let them reach bookworm via a point release (i.e. 12.12). Regards, Salvatore
Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
Yes, Bookworm is vulnerable to the listed CVEs, CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32912 CVE-2025-32914 CVE-2025-46420 I have applied the fixes for these CVEs to the Bookworm package. The autopkgtest has completed successfully, and the ratt test is currently in progress. Once it completes, I will proceed with pushing the CVE fixes. Regards, Syeda Shagufta Naaz
Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
Thank you for the valuable feedback. I will make sure to include the subject line when replying to bug reports in the future. I have raised the MR in the Salsa Bookworm branch and kindly request a review - https://salsa.debian.org/gnome-team/libsoup/-/merge_requests/4. Thank You. Regards, Syeda Shagufta Naaz
Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
On Wed, 14 May 2025 at 11:45:47 +0100, Simon McVittie wrote: On Wed, 14 May 2025 at 10:02:32 +, Naaz, Syeda Shagufta wrote: Could you please advise if I can proceed with proposing the patches for Bookworm? Sure, please open a merge request - but you might need to coordinate with Sean, who seems to have work-in-progress for some of the other open CVEs. Someone who knows this package better than I do should check your proposed patches to make sure they make sense as a backport of the CVE fixes. https://salsa.debian.org/gnome-team/libsoup/-/merge_requests/4 Security team: Are you intending to issue a DSA for this, or is this bookworm stable updates material? The bookworm stable updates queue is currently frozen for this weekend's point release, so if this is intended to go via stable updates, someone will need to ask permission from the stable release managers after reviewing the changes. If we are doing either a stable update or a DSA, including a fix for at least #1091502 would probably also be wise. It isn't clear to me whether bookworm libsoup2.4 is also vulnerable to CVE-2025-32910/CVE-2025-32912 (#1103516), CVE-2025-32914 (#1103512), CVE-2025-32909 (#1103517), CVE-2025-32906 (#1103521), CVE-2025-46420 (#1104055). If it is, it probably makes sense to address some or all of those in the same update, rather than issuing one update per CVE. smcv
Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
On Wed, May 14, 2025 at 12:48 PM Simon McVittie wrote: > Sean, if you can, please push any subsequent work on libsoup2.4 to the > relevant branches at https://salsa.debian.org/gnome-team/libsoup at the > time that it's finalized/tagged/uploaded. (If you don't have access, I > can add you, but I think DDs might have access to gnome-team > repositories anyway?) We haven't given the Debian group push access to the gnome-team yet. It's been an unwritten policy that we generally give DDs access to the gnome-team if they request it and seem to know what they're doing. So it's up to Sean whether he would prefer to have access to the whole group or we can give him access to specific packages if he prefers (libsoup2.4, libsoup3, etc.) It's on our backlog to document a policy for joining the Debian GNOME team / getting push access to our repos. Thank you, Jeremy Bícha
Bug#1103515: libsoup2.4: CVE-2025-32911 CVE-2025-32913
Please keep the subject line when replying to bug reports: package maintainers will often see your email out-of-context among thousands of other messages, and it's useful to have an idea of which package you're talking about! On Wed, 14 May 2025 at 10:02:32 +, Naaz, Syeda Shagufta wrote: I noticed that the changelog in the [2] Salsa Debian Bookworm branch does not match the one in the source code for [3] Debian 12 Bookworm. It looks as though Sean Whitton released fixes for some other CVEs but didn't update the gnome-team git repository (or perhaps wasn't able to update the gnome-team git repository). I've fetched the changes from https://salsa.debian.org/lts-team/packages/libsoup and pushed them to the gnome-team repository now, so the debian/bookworm branch should be up to date. Sean, if you can, please push any subsequent work on libsoup2.4 to the relevant branches at https://salsa.debian.org/gnome-team/libsoup at the time that it's finalized/tagged/uploaded. (If you don't have access, I can add you, but I think DDs might have access to gnome-team repositories anyway?) You're also welcome to push work-in-progress to the wip/* namespace if that would be useful (or you can send merge requests from the lts-team's fork or from a personal fork). If something is actively being worked on, having a "Draft:" MR is probably valuable, even if it isn't ready to land yet. libsoup2.4 is an obsolete version of libsoup (the current version is libsoup3, see #1056125) and the GNOME team has been trying to get other Debian packages moved over to libsoup3, so fixing libsoup2.4 has not been as high a priority as it might have been. Unfortunately we have not been able to remove libsoup2.4, even in the upcoming Debian 13 release, because various packages still depend on it (https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-gnome-maintainers%40lists.alioth.debian.org&tag=libsoup2). Could you please advise if I can proceed with proposing the patches for Bookworm? Sure, please open a merge request - but you might need to coordinate with Sean, who seems to have work-in-progress for some of the other open CVEs. Someone who knows this package better than I do should check your proposed patches to make sure they make sense as a backport of the CVE fixes. smcv
