- Revert several commits which update the meson dependence from 0.54 to 0.62.
- These changes are not core function but block the build in early releases.
- This fix could enable the libsoup update to the latest verion in SLE-15-SP4
and SP5, which will fix many CVE bugs.
- This fix only enable on SLE-15-SP4 and SP5 in SPEC file.
header on cross origin redirect
(bsc#1257441, CVE-2026-1539, glgo#GNOME/libsoup#489).
+ libsoup-CVE-2026-1467.patch
+ libsoup-CVE-2026-1760.patch
- Add libsoup-CVE-2026-1467.patch: uri-utils: do host validation
when checking if a GUri is valid
(bsc#1257398, CVE-2026-1467, glgo#GNOME/libsoup#488).
- Add libsoup-CVE-2026-1760.patch: server: close the connection
after responsing a request containing...
(bsc#1257597, CVE-2026-1760, glgo#GNOME/libsoup#475).
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/libsoup?expand=0&rev=331
- Update to version 3.6.5:
+ session: Strip authentication credentials on cross-origin
redirects
+ build: Use pkg-config instead of krb5-config for the gssapi
dependency
+ http1: When using chunked encoding report an error in case of
unexpected stream end
+ http2:
- When a message has no content still respect its Content-Type
- Revert manual window size management temporarily, as it could
stall
+ sniffer: Fix potential overflows
+ hsts: Fix minor leak
+ headers: Fix a few parsing edge cases that could be an out of
bound read
+ connection: Avoid ever calling disconnect twice
+ auth-digest: Fix handling when a nonce isn't present
+ cookies:
- Limit max size of max-age, path, and domain attributes to
1024 bytes
- Limit max size of name and value to 4096 bytes
+ docs: Remove references to old libsoup domain
+ Reintroduce some thread-safety to SoupSession (see
https://libsoup.gnome.org/libsoup-3.0/client-thread-safety.html)
Numerous API have been changed which is documented on
https://libsoup.gnome.org
- Replace pkgconfig(krb5) with pkgconfig(krb5-gssapi)
BuildRequires: Following upstream changes, and stop passing
krb5_config="$(which krb5-config)" to meson setup, no longer
needed nor recognized. (forwarded request 1255109 from iznogood)
OBS-URL: https://build.opensuse.org/request/show/1255568
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsoup?expand=0&rev=152
- Update to version 3.6.5:
+ session: Strip authentication credentials on cross-origin
redirects
+ build: Use pkg-config instead of krb5-config for the gssapi
dependency
+ http1: When using chunked encoding report an error in case of
unexpected stream end
+ http2:
- When a message has no content still respect its Content-Type
- Revert manual window size management temporarily, as it could
stall
+ sniffer: Fix potential overflows
+ hsts: Fix minor leak
+ headers: Fix a few parsing edge cases that could be an out of
bound read
+ connection: Avoid ever calling disconnect twice
+ auth-digest: Fix handling when a nonce isn't present
+ cookies:
- Limit max size of max-age, path, and domain attributes to
1024 bytes
- Limit max size of name and value to 4096 bytes
+ docs: Remove references to old libsoup domain
+ Reintroduce some thread-safety to SoupSession (see
https://libsoup.gnome.org/libsoup-3.0/client-thread-safety.html)
Numerous API have been changed which is documented on
https://libsoup.gnome.org
- Replace pkgconfig(krb5) with pkgconfig(krb5-gssapi)
BuildRequires: Following upstream changes, and stop passing
krb5_config="$(which krb5-config)" to meson setup, no longer
needed nor recognized.
OBS-URL: https://build.opensuse.org/request/show/1255109
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/libsoup?expand=0&rev=302
- Update to version 3.6.1:
+ Fix `soup_uri_copy()` reading port as a long instead of an int
+ Fix possible NULL deref in `soup_uri_decode_data_uri()`
+ Fix possible overflow in `SoupContentSniffer`
+ Fix assertion in `soup_uri_decode_data_uri()` on URLs with a
path starting with `//`
+ headers: Be more robust against invalid input when parsing
params
+ websocket: Fix possibility of being stuck in a read loop
- Drop patches fixed upstream:
+ 6adc0e3e.patch
+ 29b96fab.patch
+ a35222dd.patch
+ 4c9e75c6.patch
6adc0e3e.patch (forwarded request 1225898 from iznogood)
OBS-URL: https://build.opensuse.org/request/show/1226285
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsoup?expand=0&rev=148
- Update to version 3.6.1:
+ Fix `soup_uri_copy()` reading port as a long instead of an int
+ Fix possible NULL deref in `soup_uri_decode_data_uri()`
+ Fix possible overflow in `SoupContentSniffer`
+ Fix assertion in `soup_uri_decode_data_uri()` on URLs with a
path starting with `//`
+ headers: Be more robust against invalid input when parsing
params
+ websocket: Fix possibility of being stuck in a read loop
- Drop patches fixed upstream:
+ 6adc0e3e.patch
+ 29b96fab.patch
+ a35222dd.patch
+ 4c9e75c6.patch
6adc0e3e.patch
OBS-URL: https://build.opensuse.org/request/show/1225898
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/libsoup?expand=0&rev=294
- Add 6adc0e3e.patch: websocket: Process the frame as soon as we
read data (boo#1233287 CVE-2024-52532 glgo#GNOME/libsoup#391).
- Add 29b96fab.patch: websocket-test: disconnect error copy after
the test ends (glgo#GNOME/libsoup#391).
- Add a35222dd.patch: be more robust against invalid input when
parsing params (boo#1233292 CVE-2024-52531
glgo#GNOME/libsoup!407).
OBS-URL: https://build.opensuse.org/request/show/1223813
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/libsoup?expand=0&rev=290