Описание
Security update for libsoup
This update for libsoup fixes the following issues:
- CVE-2025-14523: Reject duplicated Host in headers and followed upstream update (bsc#1254876).
- CVE-2026-0716: Fixed out-of-bounds read for websocket (bsc#1256418)
- CVE-2026-0719: Fixed overflow for password md4sum (bsc#1256399)
Список пакетов
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS
SUSE Linux Enterprise Server 15 SP4-LTSS
SUSE Linux Enterprise Server 15 SP5-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP5
Ссылки
- Link for SUSE-SU-2026:0211-1
- E-Mail link for SUSE-SU-2026:0211-1
- SUSE Security Ratings
- SUSE Bug 1254876
- SUSE Bug 1256399
- SUSE Bug 1256418
- SUSE CVE CVE-2025-14523 page
- SUSE CVE CVE-2026-0716 page
- SUSE CVE CVE-2026-0719 page
Описание
A flaw in libsoup's HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.
Затронутые продукты
Ссылки
- CVE-2025-14523
- SUSE Bug 1254876
Описание
A flaw was found in libsoup's WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup's WebSocket support with this configuration may be impacted.
Затронутые продукты
Ссылки
- CVE-2026-0716
- SUSE Bug 1256418
Описание
A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk.
Затронутые продукты
Ссылки
- CVE-2026-0719
- SUSE Bug 1256399