* CVE-2011-2054: Fixed a security hole that caused some
SoupServer users to unintentionally allow accessing the
entire local filesystem when they thought they were only
providing access to a single directory. [#653258]
Fixed versions were just bumped, but we cannot stabilize them yet due problems with KDE reported in bug 365479, the problem is that we still don't know how to fix it :S
Don't mean to but in, but the CVE name referenced here is incorrect (and so is the package actually). It should be libsoup, not libproxy and the CVE name is CVE-2011-2524, as per:
I've asked upstream to correct the changelog (found the same in libsoup's 2.34.3 NEWS file).
Yes, the summary is wrong because I copy it wrongly ;-)
As discussed in the kde team meeting- please go ahead, we do not know for sure but believe that bug 365479 is fixed (as there have been no real duplicates since the moment when glib-networking-2.28.7 was the only version left in the tree).
Ok, thank you.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
=net-libs/glib-networking-2.28.7 Is also pulled in.
+ 04 Sep 2011; Tony Vroon <email@example.com> glib-networking-2.28.7.ebuild:
+ Marked stable as a dependency of net-libs/libsoup-2.34.3 based on arch
+ testing by Agostino "ago" Sarubbo in bug #376793 filed by Pacho Ramos.
+ 04 Sep 2011; Tony Vroon <firstname.lastname@example.org> libsoup-2.34.3.ebuild:
+ Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in bug
+ #376793 filed by Pacho Ramos.
Let's hope kde is not needed here anymore. :)
=net-libs/libsoup-gnome-2.34.3 also needs to be stabilized as libsoup and libsoup-gnome versions need to match (apparently).
I've archtested libsoup-gnome-2.34.3 on x86 and everything's fine so it should be fine on the other arches if libsoup itself is fine.
Re-added x86, arm and amd64 to the bug. If I wasn't supposed to/allowed to do this, sorry. :D
(In reply to comment #10)
> =net-libs/libsoup-gnome-2.34.3 also needs to be stabilized as libsoup and
> libsoup-gnome versions need to match (apparently).
@gnome, is this correct?
(In reply to comment #11)
> (In reply to comment #10)
> > =net-libs/libsoup-gnome-2.34.3 also needs to be stabilized as libsoup and
> > libsoup-gnome versions need to match (apparently).
> @gnome, is this correct?
Yes, we need the same version of libsoup-gnome at the same visibility level as libsoup, as this is a source level split from gentoo side of what's shipped in the same tarball - two different libraries with libsoup-gnome having extra deps, hence two packages.
Note that the main change encompassing the separate libsoup-gnome library is a complete rewrite of the gnome proxy resolver, basically scrapping all the code inside in favor of directly using GProxyResolver inside glib-networking while requesting the gnome method of it specifically:
* Added SoupProxyResolverDefault, which uses uses gio's
GProxyResolver to resolve proxies [#642982, Gustavo Noronha
Silva]. Despite the "default" in the name, it is not used by
default, for compatibility reasons, but it is available in
plain libsoup, not libsoup-gnome. (Of course, it depends on
having glib-networking installed.)
* Updated SoupProxyResolverGNOME to be based on
SoupProxyResolverDefault, but explicitly requesting the
"gnome" GProxyResolver if it is available [#625898], and
removed the old code that used GConf and libproxy directly.
In other words, should be good to go as glib-networking has been sorted for net-libs/libsoup package anyhow.
Ok, great, thanks, Mart. Thanks too, JD, for the heads up.
Arches, the new list is:
=net-libs/libsoup-gnome-2.34.3 is also ok on amd64.
+ 05 Sep 2011; Tony Vroon <email@example.com> libsoup-gnome-2.34.3.ebuild:
+ Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+ Lazkani & Agostino "ago" Sarubbo in security bug #376793 filed by Pacho
I am expressing my displeasure at the withheld dependencies. This has been keyworded.
arm/x86 stable, thanks JD
Stable for HPPA.
Thanks, folks. GLSA Vote: yes.
Directory traversal vulnerability in soup-uri.c in SoupServer in libsoup
before 2.35.4 allows remote attackers to read arbitrary files via a %2e%2e
(encoded dot dot) in a URI.
Vote: YES. New GLSA request filed.
It appears libsoup-2.34.3 left the tree over two years ago (10 Oct 2012), maybe this is not worth a GLSA anymore ?
This issue was resolved and addressed in
GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).