The Debian project has released security updates for two packages: libsoup2.4 for Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS and webkit2gtk for Debian GNU/Linux 11 (Bullseye) LTS. The libsoup2.4 update addresses 11 vulnerabilities, including heap buffer over-reads and NULL pointer dereferences that can lead to crashes or memory corruption. The webkit2gtk update fixes four vulnerabilities in the WebKitGTK web engine, which can cause unexpected process crashes or allow websites to access user sensor information without consent.

ELA-1581-1 libsoup2.4 security update
[DLA 4375-1] webkit2gtk security update

ELA-1581-1 libsoup2.4 security update

Package : libsoup2.4
Version : 2.56.0-2+deb9u4 (stretch), 2.64.2-2+deb10u2 (buster)

Related CVEs :
CVE-2025-2784
CVE-2025-32050
CVE-2025-32052
CVE-2025-32053
CVE-2025-32906
CVE-2025-32909
CVE-2025-32910
CVE-2025-32911
CVE-2025-32912
CVE-2025-32913
CVE-2025-32914

Multiple issues has been identified in libsoup2.4. This update contains
fixes for a few of them that have previously been addressed in LTS and newer
releases. Additional updates will come when more of the recently allocated
CVE ids have been analyzed.

CVE-2025-2784:
heap buffer over-read when sniffing content via the skip_insight_whitespace()
function. Libsoup clients may read one byte out-of-bounds in response to a
crafted HTTP response by an HTTP server.
CVE-2025-32050:
libsoup append_param_quoted() function may contain an overflow bug resulting
in a buffer under-read.
CVE-2025-32052: vulnerability in the sniff_unknown() function may lead to
heap buffer over-read.
CVE-2025-32053:
vulnerability in sniff_feed_or_html() and skip_insignificant_space()
functions may lead to a heap buffer over-read.
CVE-2025-32906:
soup_headers_parse_request() function may be vulnerable to an out-of-bound
read. This flaw allows a malicious user to use a specially crafted HTTP
request to crash the HTTP server.
CVE-2025-32909:
SoupContentSniffer may be vulnerable to a NULL pointer dereference in the
sniff_mp4 function. The HTTP server may cause the libsoup client to crash.
CVE-2025-32910:
soup_auth_digest_authenticate() is vulnerable to a NULL pointer dereference.
This issue may cause the libsoup client to crash.
CVE-2025-32911:
use-after-free memory issue not on the heap in the
soup_message_headers_get_content_disposition() function. This flaw allows a
malicious HTTP client to cause memory corruption in the libsoup server.
CVE-2025-32913:
the soup_message_headers_get_content_disposition() function is vulnerable to
a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a
libsoup client or server that uses this function.
CVE-2025-32914:
the soup_multipart_new_from_message() function is vulnerable to an
out-of-bounds read. This flaw allows a malicious HTTP client to induce the
libsoup server to read out of bounds.
CVE-2025-32912:
SoupAuthDigest is vulnerable to a NULL pointer dereference. The HTTP server
may cause the libsoup client to crash.
Additionally for buster an updated test certificate was included that extends
the expiration to year 2049.

ELA-1581-1 libsoup2.4 security update

[SECURITY] [DLA 4375-1] webkit2gtk security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4375-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
November 20, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : webkit2gtk
Version : 2.50.1-1~deb11u1
CVE ID : CVE-2025-43272 CVE-2025-43342 CVE-2025-43343 CVE-2025-43356
CVE-2025-43368

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2025-43272

Big Bear discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2025-43342

An anonymous researcher discovered that processing maliciously
crafted web content may lead to an unexpected process crash.

CVE-2025-43343

An anonymous researcher discovered that processing maliciously
crafted web content may lead to an unexpected process crash.

CVE-2025-43356

Jaydev Ahire discovered that a website may be able to access
sensor information without user consent.

CVE-2025-43368

Pawel Wylecial discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

This WebKitGTK update causes a compatibility problem with older
versions of Evolution when handling e-mail attachments. For this
reason, fixed versions of Evolution have also been released along with
this WebKitGTK update.

For Debian 11 bullseye, these problems have been fixed in version
2.50.1-1~deb11u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS