Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted libsoup3 3.6.5-8 (source) into unstable
Date: Tue, 03 Feb 2026 22:04:20 +0000
Signed by: Jeremy Bícha <jbicha@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 03 Feb 2026 16:42:19 -0500
Source: libsoup3
Built-For-Profiles: noudeb
Architecture: source
Version: 3.6.5-8
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Jeremy Bícha <jbicha@ubuntu.com>
Closes: 1126548 1126627 1126628 1126876 1126877
Changes:
 libsoup3 (3.6.5-8) unstable; urgency=high
 .
   [ Bruce Cable ]
   * SECURITY UPDATE: Carriage Return Line Feed Injection
     - debian/patches/CVE-2026-1467.patch: Do host validation when checking if
       a GUri is valid
       - CVE-2026-1467 (Closes: #1126548)
     - debian/patches/CVE-2026-1536.patch: Always validate the headers value
       when coming from untrusted source
       - CVE-2026-1536 (Closes: #1126627)
   * SECURITY UPDATE: Information Leak
     - debian/patches/CVE-2026-1539.patch: Also remove Proxy-Authorization
       header on cross origin redirect
     - CVE-2026-1539 (Closes: #1126628)
 .
   [ Jeremy Bícha ]
   * SECURITY UPDATE: HTTP Request smuggling vulnerability
     - debian/patches/CVE-2026-1760.patch: Close the connection after
       responding to a request containing Content-Length and Transfer-Encoding
       - CVE-2026-1760 (Closes: #1126876)
   * SECURITY UPDATE: Stack-based buffer overflow vulnerability
     - debian/patches/CVE-2026-1761.patch: Make sure read length is smaller
       than buffer length when boundary is found
       - CVE-2026-1761 (Closes: #1126877)
   * SECURITY UPDATE: HTTP Request smuggling vulnerability
     - debian/patches/CVE-2026-1801-pre1.patch: Correct chunked trailers
        end detection
     - debian/patches/CVE-2026-1801.patch: Use CRLF as line boundary
       when parsing chunked encoding data
       - CVE-2026-1801
Checksums-Sha1:
 c16b69f40bb9e4a53079c99395cfdf9cfcf3d424 2957 libsoup3_3.6.5-8.dsc
 18dba61d2e09139b18e5108922f89386d68b5917 56460 libsoup3_3.6.5-8.debian.tar.xz
 d9e620abedc6547d43698e51e6bea038dcd2b3df 13405 libsoup3_3.6.5-8_source.buildinfo
Checksums-Sha256:
 0f3f5e7a68a3bcd4c680dc6b5ef715e8e9e935df435b7b0c39fbd2b57503e105 2957 libsoup3_3.6.5-8.dsc
 4d3d9488ca90dd75f6fce1003d6139d8f54a76c8ea39a2642200e7bf195f6299 56460 libsoup3_3.6.5-8.debian.tar.xz
 113bf93cf1f30f485b1ea3afb91860b8a6b6bcefa8c89964a5a55877c051512a 13405 libsoup3_3.6.5-8_source.buildinfo
Files:
 698a7cb387570744a87f7a5b0d6c8ba1 2957 devel optional libsoup3_3.6.5-8.dsc
 539863e83b083171d659a6b5771074b2 56460 devel optional libsoup3_3.6.5-8.debian.tar.xz
 bc486a607d360aa33fc8112cb038c5d7 13405 devel optional libsoup3_3.6.5-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmmCa/oACgkQ5mx3Wuv+
bH1YchAAy2e/+y2+EhJRfiQH6mwNXtqhQEZNvshtMwLRh3gsPWtQfoMw2rVyWe+Y
RZiSbhKwy1yORdiDoJqmY/3c8HsstBPTfL1ls7OVSeqpraJokHnNS5Xe3USC4v7s
lS3OH3t1gtXVQkL/CtLGLDK4gRI8qw5Vc90LaDkrE7zz/rMvOI60m9XKrfqdJbNQ
UEgUIKOykzFhP+Klox40bb4ojTOdhqO3qUekBMoFIQy7PbU8R8w4OucgUeiG3Oqg
mmxwj9t/cfYH+cH5dViPSJlGeBLUPeA/bbzBDIDOPKHn0LWc2Ra2efWkzmJEiG2y
BuMf+a8JDcKpTz+nazezyYE745297KyoAjnhKBRT4g+O51j/EWDINUBS36vKTfse
1pvQrMODOaIlaWAYNy1K0OAPQBZ6a8z05gEtT1Hnw4+VqMwIeCoW+9MMnTYKKY5J
/IWiUi+pdwswCPvxKDuyVBq2LE56ICzlxsCMepWZAoW/WHOjL7a4MnozehvriCnr
oiKtPvVxdr5uqsd4/soRjsg/V2Qq5wrg0FLhQZbBQI2MBbkTCpz37MSNbh4oSxdQ
vdzBE1nedX+CCAIVy0ikZceNfOWtsRnbgVBKC5vQs48GoayFui/jL9TVAtgLZzFv
VeEZkPNiWuERCsVJINcDDDgbah794HjxqsiVj1TKDor/QMpIRm8=
=VaQD
-----END PGP SIGNATURE-----
News for package libsoup3
