Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Mon, 07 Oct 2019 14:45:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#941912; Package src:libsoup2.4.
(Wed, 09 Oct 2019 10:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Claudio Saavedra <csaavedra@igalia.com>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Wed, 09 Oct 2019 10:51:03 GMT) (full text, mbox, link).
On Mon, 07 Oct 2019 16:43:28 +0200 Salvatore Bonaccorso <
carnil@debian.org> wrote:
> Please adjust the affected versions in the BTS as needed.
I'm the libsoup maintainer. This bug affects libsoup from 2.65.1 until
2.68.1, previous versions are unaffected. I just uploaded upstream new
packages fixing this vulnerability for the 2.66 and 2.68 series (2.66.4
and 2.68.2, respectively).
Claudio
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#941912.
(Wed, 09 Oct 2019 11:21:06 GMT) (full text, mbox, link).
Control: tag -1 pending
Hello,
Bug #941912 in libsoup reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/gnome-team/libsoup/commit/a1dfa0953116346e91d240f7b70fb6dc55393fff
------------------------------------------------------------------------
New upstream release (CVE-2019-17266)
Closes: #941912
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/941912
Added tag(s) pending.
Request was from Simon McVittie <noreply@salsa.debian.org>
to 941912-submitter@bugs.debian.org.
(Wed, 09 Oct 2019 11:21:06 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Wed, 09 Oct 2019 14:39:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 09 Oct 2019 14:39:15 GMT) (full text, mbox, link).
Source: libsoup2.4
Source-Version: 2.68.2-1
We believe that the bug you reported is fixed in the latest version of
libsoup2.4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 941912@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated libsoup2.4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 09 Oct 2019 12:23:19 +0100
Source: libsoup2.4
Architecture: source
Version: 2.68.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 941912
Changes:
libsoup2.4 (2.68.2-1) unstable; urgency=medium
.
* Team upload
* d/gbp.conf: Switch branch to debian/unstable.
We should upload the fix for CVE-2019-17266 to unstable, but
the debian/master branch already has a version waiting for NEW
processing.
* New upstream release (CVE-2019-17266) (Closes: #941912)
* libsoup-gnome2.4-dev: Explicitly depend on gir1.2-soup-2.4.
According to the GIR mini-policy, this is required because
gir1.2-soup-2.4 contains SoupGNOME-2.4.typelib, corresponding to
SoupGNOME-2.4.gir in libsoup-gnome2.4-dev. This dependency is not in
fact strictly necessary, because libsoup-gnome2.4-dev depends on
libsoup2.4-dev which in turn depends on gir1.2-soup-2.4, but Lintian
doesn't look at recursive dependencies.
* libsoup2.4-doc.links: Create symlinks to documentation in /usr/share/doc.
The actual documentation files remain in /usr/share/gtk-doc/html,
because they are technically a programmatic interface: other libraries
that depend on libsoup2.4 and use gtk-doc will use that path to fix
cross-references in their own documentation.
There are symlinks in both /u/s/d/libsoup2.4-dev (the "main package"
in Policy §12.3), and /u/s/d/libsoup2.4-doc (the traditional location
for documentation).
* libsoup2.4-doc: Add Recommends: libglib2.0-doc, for the cross-references.
The libsoup2.4 documentation contains many cross-references to GLib,
GObject and GIO documentation. Add symlinks in /usr/share/doc so that
those cross-references can be followed, even in browsers that treat
symlinks like directories for the purposes of resolving relative paths.
* d/libsoup2.4-doc.doc-base: Use the symlinks in /usr/share/doc.
This is functionally equivalent to what we already had, but silences
a Lintian error.
* Standards-Version: 4.4.1 (no changes required)
* d/copyright: Update
* d/p/xmlrpc-tests-Cope-with-GLib-2.62-TAP-output.patch:
Add proposed patch to fix test failures with GLib 2.62
* Explicitly build-depend on libapache2-mod-php, PHP 7 and Python 3.
The script that checks for the required PHP version is written in
Python 3 and specifically looks for a php7* module. It seems that in
practice the dependency resolver used on unstable buildds will always
select libapache2-mod-php anyway, but the resolver used on
experimental buildds can select the -cgi or -fpm implementations,
which are not detected, resulting in the necessary files for some of
the installed-tests not being installed.
* Add lintian overrides for the binary package names not precisely
matching the SONAMEs.
They're close enough to achieve the goal of the mechanically-generated
naming convention, and changing them now (other than at the time of an
upstream SONAME bump) seems like more disruption than it's worth.
Checksums-Sha1:
abf53f57a81a7ede3147209fc434142be2befc1c 2954 libsoup2.4_2.68.2-1.dsc
38e489cf0d37a478a77d1bba278bfd2a47ac249a 1467072 libsoup2.4_2.68.2.orig.tar.xz
af2f2bc20571c05fc8c3eefe3560bd2be37276c8 21696 libsoup2.4_2.68.2-1.debian.tar.xz
Checksums-Sha256:
b4012179156c8a07e8aee3bb2410fa7df6865515d3cfcee6370e17a57fc02fc4 2954 libsoup2.4_2.68.2-1.dsc
51ad3001a946fe3bcf29b692dc9ffe05cdf702ea6ca0ee8c3099a99a2f4e3933 1467072 libsoup2.4_2.68.2.orig.tar.xz
e02332d4a2d323affe4644a97adbf5296a0f3b76390ec9b0b7fdda67ae6bafcb 21696 libsoup2.4_2.68.2-1.debian.tar.xz
Files:
c8edf5d0332ebc6cb8cdc85e3e5b3dd2 2954 devel optional libsoup2.4_2.68.2-1.dsc
8e3430458be72547d890d0bf914dd125 1467072 devel optional libsoup2.4_2.68.2.orig.tar.xz
049eb8da6ebcdb73fbf65c3fe2e806d0 21696 devel optional libsoup2.4_2.68.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl2d5OYACgkQ4FrhR4+B
TE91+xAAqL/Qf8EB+wIpTAJXGSMBe8MYbXV2AEAk2hMxaP59DPciheu7S/Y1Kcwh
8nBhlYVAksj7xZvMm3XJhbVRMjoMfiWZPc9qQhIaro/nNbD+X8QNXJ/GDaF62dKy
M2AbKkXdQ63DMUpFm2XEfryMvvbfQp7uW+aOY6XS6xFHAVIyfjQdQ3raI09ZAxAN
MI/7mmzsq2pZQXueAtb/VSl7qZxiB0B9YLcZ9exWgzvI14vO270cGhzm485LVaCK
jLFVyEooX+p8Jd5LUOSdG0K8eXpfKRWKkwo1kJeWSdjsPQtXxgDP7aW9Q5fyqSep
GrPKBNhVpGTNwHBwlsO0hhDzVYfK357vwbbeAb+LIjPY8M2Sac5MgxdQt7RZQmgK
9VPBPZCDUUGt+t3dGHmGZIfD6mo1bdnZeqt8IJi/u0m6nmscvLaH4huYwY1uX+ZW
aqXRklupN49txvZfknV/kCFROl+KHug6j6u7qpmn+IgeiY57/MajKXHHULKkp1GN
rQ3aVioRgFKmx6PggW1mHVykRcPUdJvRgnOocShMQQ30BXI+V9w7YMiUodPaP8cV
I/XfmZAHj2j8Nh4ZaWYDgNlOibTl0lZSiiGabJnufSLWi35w1vD6/FN88tYKAf1m
nCBxRXN2oA9H+JO+UPzPd7Jrh2EOFuZbqcb0Zn6RTYt9cB2XlVU=
=Ka2e
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#941912; Package src:libsoup2.4.
(Wed, 09 Oct 2019 18:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Wed, 09 Oct 2019 18:51:03 GMT) (full text, mbox, link).
Hi Claudio,
On Wed, Oct 09, 2019 at 01:10:04PM +0300, Claudio Saavedra wrote:
> On Mon, 07 Oct 2019 16:43:28 +0200 Salvatore Bonaccorso <
> carnil@debian.org> wrote:
>
> > Please adjust the affected versions in the BTS as needed.
>
> I'm the libsoup maintainer. This bug affects libsoup from 2.65.1 until
> 2.68.1, previous versions are unaffected. I just uploaded upstream new
> packages fixing this vulnerability for the 2.66 and 2.68 series (2.66.4
> and 2.68.2, respectively).
Thanks for this information, so I'm updating the tracker information.
While at it, I'm pretty sure
https://gitlab.gnome.org/GNOME/libsoup/issues/173 was previously
accessible, but now it is not anymore (I was wondering about the
reason).
Regards,
Salvatore
Marked as found in versions libsoup2.4/2.65.91-1.
Request was from Simon McVittie <smcv@debian.org>
to control@bugs.debian.org.
(Wed, 09 Oct 2019 19:03:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#941912; Package src:libsoup2.4.
(Thu, 10 Oct 2019 07:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Claudio Saavedra <csaavedra@igalia.com>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Thu, 10 Oct 2019 07:51:03 GMT) (full text, mbox, link).
On Wed, 2019-10-09 at 20:48 +0200, Salvatore Bonaccorso wrote:
>
> Thanks for this information, so I'm updating the tracker information.
Thank you.
> While at it, I'm pretty sure
> https://gitlab.gnome.org/GNOME/libsoup/issues/173 was previously
> accessible, but now it is not anymore (I was wondering about the
> reason).
I decided to mark it confidential considering the nature of the issue.
Feel free to contact me privately if you want/need to access it.
Claudio
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 10 Nov 2019 07:25:25 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.