Source: libsoup3 Version: 3.6.5-4 Severity: important Tags: security upstream Forwarded: https://gitlab.gnome.org/GNOME/libsoup/-/issues/453 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: clone -1 -2 Control: reassign -2 src:libsoup2.4 2.74.3-10.1 Control: retitle -2 libsoup2.4: CVE-2025-9901
Hi, The following vulnerability was published for libsoup3. This is mainly for tracking the issue in the BTS, I think this can be safely marked no-dsa and addressed once fixed upstream first in unstable, then see for lower suites. CVE-2025-9901[0]: | A flaw was found in libsoup’s caching mechanism, SoupCache, where | the HTTP Vary header is ignored when evaluating cached responses. | This header ensures that responses vary appropriately based on | request headers such as language or authentication. Without this | check, cached content can be incorrectly reused across different | requests, potentially exposing sensitive user information. While the | issue is unlikely to affect everyday desktop use, it could result in | confidentiality breaches in proxy or multi-user environments. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-9901 https://www.cve.org/CVERecord?id=CVE-2025-9901 [1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/453 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
