Описание
Security update for libsoup
This update for libsoup fixes the following issues:
- CVE-2026-0716: improper bounds handling may allow out-of-bounds read (bsc#1256418).
- CVE-2025-4476: null pointer dereference may lead to denial of service (bsc#1243422).
- CVE-2025-32049: denial of Service attack to websocket server (bsc#1240751).
- CVE-2026-2369: buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).
- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information disclosure to remote attackers (bsc#1258170).
- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).
Список пакетов
SUSE Linux Enterprise Server 12 SP5-LTSS
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5
Ссылки
- Link for SUSE-SU-2026:0703-1
- E-Mail link for SUSE-SU-2026:0703-1
- SUSE Security Ratings
- SUSE Bug 1240751
- SUSE Bug 1243422
- SUSE Bug 1256418
- SUSE Bug 1258120
- SUSE Bug 1258170
- SUSE Bug 1258508
- SUSE CVE CVE-2025-32049 page
- SUSE CVE CVE-2025-4476 page
- SUSE CVE CVE-2026-0716 page
- SUSE CVE CVE-2026-2369 page
- SUSE CVE CVE-2026-2443 page
- SUSE CVE CVE-2026-2708 page
Описание
A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service (DoS).
Затронутые продукты
Ссылки
- CVE-2025-32049
- SUSE Bug 1240751
- SUSE Bug 1250562
Описание
A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 (Unauthorized) HTTP response containing a specifically crafted domain parameter within the WWW-Authenticate header. Processing this malformed header can lead to a crash of the client application using libsoup. An attacker could exploit this by setting up a malicious HTTP server. If a user's application using the vulnerable libsoup library connects to this malicious server, it could result in a denial-of-service. Successful exploitation requires tricking a user's client application into connecting to the attacker's malicious server.
Затронутые продукты
Ссылки
- CVE-2025-4476
- SUSE Bug 1243422
Описание
A flaw was found in libsoup's WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup's WebSocket support with this configuration may be impacted.
Затронутые продукты
Ссылки
- CVE-2026-0716
- SUSE Bug 1256418
Описание
unknown
Затронутые продукты
Ссылки
- CVE-2026-2369
- SUSE Bug 1258120
Описание
A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component.
Затронутые продукты
Ссылки
- CVE-2026-2443
- SUSE Bug 1258170
Описание
unknown
Затронутые продукты
Ссылки
- CVE-2026-2708
- SUSE Bug 1258508