USN-7126-1: libsoup vulnerabilities
27 November 2024
Several security issues were fixed in libsoup.
Releases
Packages
- libsoup2.4 - HTTP client/server library for GNOME
Details
It was discovered that libsoup ignored certain characters at the end of
header names. A remote attacker could possibly use this issue to perform
a HTTP request smuggling attack. (CVE-2024-52530)
It was discovered that libsoup did not correctly handle memory while
performing UTF-8 conversions. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code. (CVE-2024-52531)
It was discovered that libsoup could enter an infinite loop when reading
certain websocket data. An attacker could possibly use this issue to
cause a denial of service. (CVE-2024-52532)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 24.10
Ubuntu 24.04
Ubuntu 22.04
Ubuntu 20.04
Ubuntu 18.04
-
libsoup2.4-1
-
2.62.1-1ubuntu0.4+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-7127-1: libsoup-3.0-dev, libsoup-3.0-0, libsoup-3.0-tests, libsoup-3.0-common, libsoup3, gir1.2-soup-3.0, libsoup-3.0-doc