Please keep the subject line when replying to bug reports: package
maintainers will often see your email out-of-context among thousands of
other messages, and it's useful to have an idea of which package you're
talking about!

On Wed, 14 May 2025 at 10:02:32 +0000, Naaz, Syeda Shagufta wrote:

I noticed that the changelog in the [2] Salsa Debian
Bookworm branch does not match the one in the source code for [3] Debian 12 >Bookworm.

It looks as though Sean Whitton released fixes for some other CVEs but
didn't update the gnome-team git repository (or perhaps wasn't able to
update the gnome-team git repository). I've fetched the changes from https://salsa.debian.org/lts-team/packages/libsoup and pushed them to
the gnome-team repository now, so the debian/bookworm branch should be
up to date.

Sean, if you can, please push any subsequent work on libsoup2.4 to the
relevant branches at https://salsa.debian.org/gnome-team/libsoup at the
time that it's finalized/tagged/uploaded. (If you don't have access, I
can add you, but I think DDs might have access to gnome-team
repositories anyway?)

You're also welcome to push work-in-progress to the wip/* namespace if
that would be useful (or you can send merge requests from the lts-team's
fork or from a personal fork). If something is actively being worked on,
having a "Draft:" MR is probably valuable, even if it isn't ready to
land yet.

libsoup2.4 is an obsolete version of libsoup (the current version is
libsoup3, see #1056125) and the GNOME team has been trying to get other
Debian packages moved over to libsoup3, so fixing libsoup2.4 has not
been as high a priority as it might have been. Unfortunately we have not
been able to remove libsoup2.4, even in the upcoming Debian 13 release,
because various packages still depend on it (https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-gnome-maintainers%40lists.alioth.debian.org&tag=libsoup2).

Could you please advise if I can proceed with proposing the patches for >Bookworm?

Sure, please open a merge request - but you might need to coordinate with
Sean, who seems to have work-in-progress for some of the other open CVEs.

Someone who knows this package better than I do should check your
proposed patches to make sure they make sense as a backport of the
CVE fixes.

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 14 May 2025 at 11:45:47 +0100, Simon McVittie wrote:

On Wed, 14 May 2025 at 10:02:32 +0000, Naaz, Syeda Shagufta wrote:

Could you please advise if I can proceed with proposing the patches for >>Bookworm?

Sure, please open a merge request - but you might need to coordinate
with Sean, who seems to have work-in-progress for some of the other
open CVEs.

Someone who knows this package better than I do should check your
proposed patches to make sure they make sense as a backport of the CVE
fixes.

https://salsa.debian.org/gnome-team/libsoup/-/merge_requests/4

Security team: Are you intending to issue a DSA for this, or is this
bookworm stable updates material?

The bookworm stable updates queue is currently frozen for this weekend's
point release, so if this is intended to go via stable updates, someone
will need to ask permission from the stable release managers after
reviewing the changes.

If we are doing either a stable update or a DSA, including a fix for at
least #1091502 would probably also be wise.

It isn't clear to me whether bookworm libsoup2.4 is also vulnerable to CVE-2025-32910/CVE-2025-32912 (#1103516), CVE-2025-32914 (#1103512), CVE-2025-32909 (#1103517), CVE-2025-32906 (#1103521), CVE-2025-46420 (#1104055). If it is, it probably makes sense to address some or all of
those in the same update, rather than issuing one update per CVE.

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Simon,

On Wed, May 14, 2025 at 03:03:24PM +0100, Simon McVittie wrote:

On Wed, 14 May 2025 at 11:45:47 +0100, Simon McVittie wrote:

On Wed, 14 May 2025 at 10:02:32 +0000, Naaz, Syeda Shagufta wrote:

Could you please advise if I can proceed with proposing the patches for Bookworm?

Sure, please open a merge request - but you might need to coordinate
with Sean, who seems to have work-in-progress for some of the other open CVEs.

Someone who knows this package better than I do should check your
proposed patches to make sure they make sense as a backport of the CVE fixes.

https://salsa.debian.org/gnome-team/libsoup/-/merge_requests/4

Security team: Are you intending to issue a DSA for this, or is this
bookworm stable updates material?

The bookworm stable updates queue is currently frozen for this weekend's point release, so if this is intended to go via stable updates, someone will need to ask permission from the stable release managers after reviewing the changes.

If we are doing either a stable update or a DSA, including a fix for at
least #1091502 would probably also be wise.

It isn't clear to me whether bookworm libsoup2.4 is also vulnerable to CVE-2025-32910/CVE-2025-32912 (#1103516), CVE-2025-32914 (#1103512), CVE-2025-32909 (#1103517), CVE-2025-32906 (#1103521), CVE-2025-46420 (#1104055). If it is, it probably makes sense to address some or all of
those in the same update, rather than issuing one update per CVE.

FWIW, we think none of the CVEs really warrant a DSA, so let's fix
those batches of libsoup2.4 issues first in unstable, make sure they
get into trixie and then let them reach bookworm via a point release
(i.e. 12.12).

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Wed 14 May 2025 at 11:45am +01, Simon McVittie wrote:

Please keep the subject line when replying to bug reports: package maintainers
will often see your email out-of-context among thousands of other messages, and it's useful to have an idea of which package you're talking about!

On Wed, 14 May 2025 at 10:02:32 +0000, Naaz, Syeda Shagufta wrote:

I noticed that the changelog in the [2] Salsa Debian
Bookworm branch does not match the one in the source code for [3] Debian 12 >>Bookworm.

It looks as though Sean Whitton released fixes for some other CVEs but didn't update the gnome-team git repository (or perhaps wasn't able to update the gnome-team git repository). I've fetched the changes from https://salsa.debian.org/lts-team/packages/libsoup and pushed them to the gnome-team repository now, so the debian/bookworm branch should be up to date.

Sean, if you can, please push any subsequent work on libsoup2.4 to the relevant branches at https://salsa.debian.org/gnome-team/libsoup at the time that it's finalized/tagged/uploaded. (If you don't have access, I can add you,
but I think DDs might have access to gnome-team repositories anyway?)

I do intend to do a proposed update for bookworm for everything fixed in
sid. Syeda, I can review your MR at that point, thank you for
submitting it.

Simon, I have generally been making MRs for my updates but it would seem
that I missed some of them. I would be grateful for gnome-team
membership so that I can be sure to push everything.

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmgoSQQZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQLMPD/4/u2fKQuXmGyYhoo7mFCNw x09AK7tS7VIltDf94b5KJ2fP5vNA2uS3Pn2u/sQd3TrUEUE+fUVYZgnzRWinzDKl rva22uUxwfpbpoJeU2gaPcw6QNLAvmv4W9P9wonq9qRkK+8SMEztcZa6J/w3mIFD SRba27v1oB4oYgBmS6ElJhISMefeukkH8xaYKWPooOlr93hLADHyVmKyQ6m0RltJ KfrxIZpqPfax68Cko04hQqqbR8mhCZmV8C/D5dgQ4qc2ZORoouDK4iDm+hz0BVLC vxRVKZOGCCXbohJCZUHVR7v4sIGlw8h5F08LlfUs72uy43Si9NZmsJVwFpVgZojR m99e52j0kcYLmHoYjQLlRcu8Gkbr8mapjhugaT7SbXYvM2t3RKz/HIewjfa+dfxM ynC0QnsMSaiOcegkxsgaHxX/6DJcdAp7jcsQA9LNd0H5akLiKOehEYCnFOtENhJp Eu2HQ7HgvCY3v5RbJbCRaRjsLZtux2e8Qm2xBb9m3DhxzPRPz/rgoAivVQUt01CL 3QVShbkA6XIjUsw9gJdlT2JRWuE4NnMPjG5Pnzwf1hSrkuzD5AbFj0tuRDK9q0+h hs0EjmO2tANr3AA2tnvlPWxSTw9OmAqSfrK/aAWpCx6sgXtycpp7o1+Cv8XpcWX7 jqlvAxbRtLEIOHWNdzkIlw==MA0R
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us

On Sat, 17 May 2025 at 09:29:56 +0100, Sean Whitton wrote:

On Wed 14 May 2025 at 11:45am +01, Simon McVittie wrote:

Sean, if you can, please push any subsequent work on libsoup2.4 to the
relevant branches at https://salsa.debian.org/gnome-team/libsoup at the time >> that it's finalized/tagged/uploaded. (If you don't have access, I can add you,
but I think DDs might have access to gnome-team repositories anyway?)

Simon, I have generally been making MRs for my updates but it would seem
that I missed some of them. I would be grateful for gnome-team
membership so that I can be sure to push everything.

I can't add you to the team - sorry, I thought I could, but I'd lost
track of which groups I'm an Owner in. Instead I've added you to gnome-team/libsoup (which contains source package libsoup2.4) and gnome-team/libsoup3. If you'll be working on other GNOMEish libraries
for LTS, for example GLib or GTK, I can add you to those too, or perhaps
an Owner can give you access to the group as a whole.

If you have work-in-progress that you want to track, our convention is
to push branches in the wip/ namespace, like maybe
wip/spwhitton/sometopic (or you can push to a fork, either works). Merge requests also welcome, please mark them as Draft if they aren't ready
to land just yet.

At the point where you're ready to upload, please push to the
appropriate branch - there's no point in having merge requests to review things that, from the archive point of view, have already happened.

Thanks,
smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

On Sat 17 May 2025 at 10:08am +01, Simon McVittie wrote:

On Sat, 17 May 2025 at 09:29:56 +0100, Sean Whitton wrote:

On Wed 14 May 2025 at 11:45am +01, Simon McVittie wrote:

Sean, if you can, please push any subsequent work on libsoup2.4 to the
relevant branches at https://salsa.debian.org/gnome-team/libsoup at the time
that it's finalized/tagged/uploaded. (If you don't have access, I can add you,
but I think DDs might have access to gnome-team repositories anyway?)

Simon, I have generally been making MRs for my updates but it would seem >>that I missed some of them. I would be grateful for gnome-team
membership so that I can be sure to push everything.

I can't add you to the team - sorry, I thought I could, but I'd lost track of which groups I'm an Owner in. Instead I've added you to gnome-team/libsoup (which contains source package libsoup2.4) and gnome-team/libsoup3. If you'll be working on other GNOMEish libraries for LTS, for example GLib or GTK, I can
add you to those too, or perhaps an Owner can give you access to the group as a whole.

If you have work-in-progress that you want to track, our convention is to push
branches in the wip/ namespace, like maybe wip/spwhitton/sometopic (or you can
push to a fork, either works). Merge requests also welcome, please mark them as Draft if they aren't ready to land just yet.

At the point where you're ready to upload, please push to the appropriate branch - there's no point in having merge requests to review things that, from
the archive point of view, have already happened.

Thanks, Simon!

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmgpx5IZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQBu3EACcxWTraa+vMz2GD745kKQa bSsy/IAKXarREA4RKPrNxlYecZPPk9SgjcZeJmohVp7Ni9f9YPU8oHHR0GoPjzqf NqHqY/YLXLt5pZ5NYNjjlx0597zDIqVROXwSaDxf8ufeiHzk4HQCQoBc+ejN3iMA nCOpuopeTJ1ZtqLXmDGP4CGdGVZzjTOq5E96iv5/EoEVGlsTeeSooD8cKhoC1Ong tPabs2JFv/HBkiRtVfatlgTfPhHVyToWbe/ARqn21+GGKZp4FcEYk5DtVr5oon+N rYJp/5fA4bZXWpUej6hdzfkTiZXtsUKVAJjKyLHo5FdV9ExOZUKXaoMM4BsTGibn /ozMDByoviOouVA4Qtzl2oM7r+TtcDBn5jAJ715aMxBoitnFbrjTZ6TNM+JbtoQH QzTngAc/NOuegaV9PjpItndbf2aEZhD5HFNH2rgZusDhTbP40HaO08lYzayh3/sy TBFOaDJyf2sZjFixws12qWcmhLNREc6aXkXyuGjxXGU1BgSc0i5UjnNXE59evwhb VBvaiRUcB1U+kNuu6a2AAryXxOeE40CED/qFFGrzLpcZ2Z3DTF4m2bM9khavKChO 2tzJ+BAiPG2vIC4Qb2W2UBCIMkJGaL/PXta4rAyyBjo7OFFpah/XbhG7urvn2q8N pjos6XgeauoE7na65VWMyg==M4lk
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us

Hello,

On Sun 18 May 2025 at 09:03am -04, Jeremy Bícha wrote:

On Sat, May 17, 2025 at 5:12 AM Simon McVittie <smcv@debian.org> wrote:

On Sat, 17 May 2025 at 09:29:56 +0100, Sean Whitton wrote:

Simon, I have generally been making MRs for my updates but it would seem
that I missed some of them. I would be grateful for gnome-team
membership so that I can be sure to push everything.

I can't add you to the team - sorry, I thought I could, but I'd lost
track of which groups I'm an Owner in. Instead I've added you to
gnome-team/libsoup (which contains source package libsoup2.4) and
gnome-team/libsoup3. If you'll be working on other GNOMEish libraries
for LTS, for example GLib or GTK, I can add you to those too, or perhaps
an Owner can give you access to the group as a whole.

Sean, I added you as a "Developer" for the GNOME team.

Ah, thanks.

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmgp29IZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQID7D/9TjzR0IQ7TzyMe4kk8O94K d+QIlXoBcJCcMaq944PkRHmFoOGpqxCtFLTniDyWMCZ0gVfOIVOoAoJmHhkD14vM o9QOBiamWnnTt9P2cSltw5N3rsDjGpovOt1yYuZPgHhzag1IhSHYKd2yS+mjWsWj KVL9zu4msxrZY7jT+FfNLENcEbdey+SJPDIi97jUR5qH7BA91kA6Q6OfBaKEynCG KZc2Tx8UdvuALl0GzxOzLOYB1z77gHJug3eByhTRgKrujdcJDhJBp73XPt37P97y hCaWXV0jzbn4AJX0ijawfHLyqspK6fDvPJ6BMJXe/YIrMQsYTH4cE/h30xErPt1n 1zI28LR+gzo8R2kRVZwlPoW1+vQ5Ebj5hYdeF+LpTFvfauMO4r5DWodt9kR4EJve 8OhJMywkiTU4NoT4P2HGVHh1u+zg86LLCwZ+68ExIqvFcuR0GQDM/eOFPvLjEBZC Tp0pLoSJjToB/VESRPft1WY6dKs1ErcYEEdPQD7tkNtKT/18IB4nk050trebDSW9 4ydHwfqgHdKFnhdiFg2VErxMtzKz3CUjVuR5royka+liUQWsFHFZQIg86YD95hu5 Pwb38Gbm6rFlZ42dL34XxF1sB9jRUVEsrZN2rsz8/nJIbBHCo5II/E9kEuc+Agwu qaoxBqmEaggC4fonNlQxHw==bisQ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us