Описание
Security update for libsoup2
This update for libsoup2 fixes the following issues:
- CVE-2025-14523: Reject duplicated Host in headers and followed upstream update (bsc#1254876).
- CVE-2026-0719: Fixed overflow for password md4sum (bsc#1256399)
Список пакетов
SUSE Linux Enterprise Module for Basesystem 15 SP7
SUSE Linux Enterprise Server 15 SP6-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP6
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2026:0253-1
- E-Mail link for SUSE-SU-2026:0253-1
- SUSE Security Ratings
- SUSE Bug 1254876
- SUSE Bug 1256399
- SUSE CVE CVE-2025-14523 page
- SUSE CVE CVE-2026-0719 page
Описание
A flaw in libsoup's HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.
Затронутые продукты
Ссылки
- CVE-2025-14523
- SUSE Bug 1254876
Описание
A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk.
Затронутые продукты
Ссылки
- CVE-2026-0719
- SUSE Bug 1256399