Debian Bug report logs - #1113991
libsoup3: CVE-2025-9901

version graph

Package: src:libsoup3; Maintainer for src:libsoup3 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 5 Sep 2025 04:37:01 UTC

Severity: important

Tags: security, upstream

Found in version libsoup3/3.6.5-4

Forwarded to https://gitlab.gnome.org/GNOME/libsoup/-/issues/453

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#1113991; Package src:libsoup3. (Fri, 05 Sep 2025 04:37:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Fri, 05 Sep 2025 04:37:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libsoup3: CVE-2025-9901
Date: Fri, 05 Sep 2025 06:35:34 +0200
Source: libsoup3
Version: 3.6.5-4
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libsoup/-/issues/453
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:libsoup2.4 2.74.3-10.1
Control: retitle -2 libsoup2.4: CVE-2025-9901

Hi,

The following vulnerability was published for libsoup3.

This is mainly for tracking the issue in the BTS, I think this can be
safely marked no-dsa and addressed once fixed upstream first in
unstable, then see for lower suites.

CVE-2025-9901[0]:
| A flaw was found in libsoup’s caching mechanism, SoupCache, where
| the HTTP Vary header is ignored when evaluating cached responses.
| This header ensures that responses vary appropriately based on
| request headers such as language or authentication. Without this
| check, cached content can be incorrectly reused across different
| requests, potentially exposing sensitive user information. While the
| issue is unlikely to affect everyday desktop use, it could result in
| confidentiality breaches in proxy or multi-user environments.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-9901
    https://www.cve.org/CVERecord?id=CVE-2025-9901
[1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/453

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Bug 1113991 cloned as bug 1113992 Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 05 Sep 2025 04:37:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 23 19:34:35 2026; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.