-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 03 Feb 2026 17:00:07 -0500 Source: libsoup3 Built-For-Profiles: noudeb Architecture: source Version: 3.6.5-9 Distribution: unstable Urgency: high Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org> Changed-By: Jeremy Bícha <jbicha@ubuntu.com> Closes: 1125156 1126548 1126627 1126628 1126876 1126877 Changes: libsoup3 (3.6.5-9) unstable; urgency=high . * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2026-0716-pre1.patch: websocket: do not accept messages frames after closing due to an error - debian/patches/CVE-2026-0716.patch: websocket: Fix out-of-bounds read in process_frame - CVE-2026-0716 (Closes: #1125156) . libsoup3 (3.6.5-8) unstable; urgency=high . [ Bruce Cable ] * SECURITY UPDATE: Carriage Return Line Feed Injection - debian/patches/CVE-2026-1467.patch: Do host validation when checking if a GUri is valid - CVE-2026-1467 (Closes: #1126548) - debian/patches/CVE-2026-1536.patch: Always validate the headers value when coming from untrusted source - CVE-2026-1536 (Closes: #1126627) * SECURITY UPDATE: Information Leak - debian/patches/CVE-2026-1539.patch: Also remove Proxy-Authorization header on cross origin redirect - CVE-2026-1539 (Closes: #1126628) . [ Jeremy Bícha ] * SECURITY UPDATE: HTTP Request smuggling vulnerability - debian/patches/CVE-2026-1760.patch: Close the connection after responding to a request containing Content-Length and Transfer-Encoding - CVE-2026-1760 (Closes: #1126876) * SECURITY UPDATE: Stack-based buffer overflow vulnerability - debian/patches/CVE-2026-1761.patch: Make sure read length is smaller than buffer length when boundary is found - CVE-2026-1761 (Closes: #1126877) * SECURITY UPDATE: HTTP Request smuggling vulnerability - debian/patches/CVE-2026-1801-pre1.patch: Correct chunked trailers end detection - debian/patches/CVE-2026-1801.patch: Use CRLF as line boundary when parsing chunked encoding data - CVE-2026-1801 Checksums-Sha1: 000e3c5d998e773d3d213217b530dfad1c2d5d8b 2957 libsoup3_3.6.5-9.dsc 911cb0c25e5af01c8a5fab6abb46bcd46f8c5c28 57820 libsoup3_3.6.5-9.debian.tar.xz 1a4d99d3ffdd4bf12d4a04f41cfca0a1a4be2a26 13405 libsoup3_3.6.5-9_source.buildinfo Checksums-Sha256: b6a1d8ec6732433f5b0085cbae89c1d130fc9ebf1cda86bf22fdd5b9b9bb71a7 2957 libsoup3_3.6.5-9.dsc b48ca579f7adf6bddb3fba64b45d0556494219915fe1cd45db71739604351545 57820 libsoup3_3.6.5-9.debian.tar.xz dd851d02c010471887c285e674f376a36ceb33fe90fd17909b7ad4b249bbb75d 13405 libsoup3_3.6.5-9_source.buildinfo Files: 821a0daa19aedab5053afd64cc63bb96 2957 devel optional libsoup3_3.6.5-9.dsc 34e2cdda7235b426dea0256f556a0295 57820 devel optional libsoup3_3.6.5-9.debian.tar.xz 95a650d627317600ccb4300c288a1f78 13405 devel optional libsoup3_3.6.5-9_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmmCcSsACgkQ5mx3Wuv+ bH1WIg/8DeKPITBpRvukE+VXBTzKa9VDXS8iDWgS7/606XV36gQygEJRwYUigKg9 EPdMcpURvSANmtcgHEnIBAJ08kLmdpwQ2rhTAZ9dGGgzzYnhMkjA+pd22RjiBklF XokvRtjN873oY+R0TedMi3UaGT958ZjUcyQmzkTcF/+BSyqrR3eKjeSy6AwfbLX9 6EGgiT9x2RYdOypDCTJ72+VvSETqGVH0KjzwbJkKt0zZ44nhgfSrad8kPc1sCMoY XzyDeHbyQdsZ/GIoHyfm0+Dt5pCIWUUKWp3ia3JZuBWY7MaFhvcAjea3qG1Yz44O /usY93sC6+qHmokUbCfwddlgReIWyTNnOb6DOjYiGwPKS0sRhZNonsFF2y0IsWQ2 zTBmvYipxgSu1GBXqy5UJc921zqzx4bu27SMcWXPIfcOsUjLkmF+AlF45JhqNDJs Cl9ljVG01LPWHPickudPrqbQIEeeWpFMGrNKIDEhsKBR4mDaldMoLf8Owc36BmAP cKrluvbJD2EzAeZjnRle6gTHtennKVNPWCbBTC8ma/iyo5Nw8inCaw1CU+GFKWwv Rn21WOY1J3EO3l4sd3WUpCbP290U/Tlgn8yJoaI/c1GLsGTG6ma6Ycar7t1n8Vtv UnQEppYDU4Ffwq4Vkhpmck9zcVmW1TopTclCcuvDvy4ADLHLHQg= =y6Re -----END PGP SIGNATURE-----
