Package "libsoup3"
| Name: |
libsoup3
|
Description: |
This package is just an umbrella for a group of other packages,
it has no description.
Description samples from packages in group:
- GObject introspection data for the libsoup HTTP library
- HTTP library implementation in C -- Shared library
- HTTP library implementation in C -- Common files
- HTTP library implementation in C -- API Reference
|
| Latest version: |
3.4.4-5ubuntu0.7 |
| Release: |
noble (24.04) |
| Level: |
security |
| Repository: |
main |
Links
Other versions of "libsoup3" in Noble
Packages in group
Deleted packages are displayed in grey.
Changelog
|
libsoup3 (3.4.4-5ubuntu0.7) noble-security; urgency=medium
* SECURITY UPDATE: Carriage Return Line Feed Injection
- debian/patches/CVE-2026-1467.patch: Do host validation when checking if
a GUri is valid
- debian/patches/CVE-2026-1536-pre1.patch: Reject duplicate host headers
- debian/patches/CVE-2026-1536.patch: Always validate the headers value
when coming from untrusted source
- CVE-2026-1467
- CVE-2026-1536
* SECURITY UPDATE: Information Leak
- debian/patches/CVE-2026-1539.patch: Also remove Proxy-Authorization
header on cross origin redirect
- CVE-2026-1539
-- Bruce Cable <email address hidden> Mon, 02 Feb 2026 15:38:57 +1100
|
| Source diff to previous version |
| CVE-2026-1467 |
A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP pro |
| CVE-2026-1536 |
A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) seq |
| CVE-2026-1539 |
A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTT |
|
|
libsoup3 (3.4.4-5ubuntu0.6) noble-security; urgency=medium
* SECURITY UPDATE: Use after free in HTTP/2 queues.
- debian/patches/CVE-2025-12105.patch: Add SOUP_MESSAGE_FINISHED checks in
libsoup/soup-session.c.
- CVE-2025-12105
-- Hlib Korzhynskyy <email address hidden> Thu, 11 Dec 2025 17:37:16 -0330
|
| Source diff to previous version |
| CVE-2025-12105 |
A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP |
|
|
libsoup3 (3.4.4-5ubuntu0.5) noble-security; urgency=medium
* SECURITY UPDATE: Denial of service.
- debian/patches/CVE-2025-32907-*.patch: Add i-- in
libsoup/soup-message-headers.c. Add B_SANITIZE_OPTION to meson.build.
- debian/patches/CVE-2025-4948.patch: Add ternary end - 2 - split check in
libsoup/soup-multipart.c.
- CVE-2025-32907
- CVE-2025-4948
* SECURITY UPDATE: Out of bounds read.
- debian/patches/CVE-2025-4969.patch: Add extra if checks for start of line
in libsoup/soup-multipart.c.
- CVE-2025-4969
* SECURITY UPDATE: Improper validation of cookie expiration.
- debian/patches/CVE-2025-4945-*.patch: Add extra date checks in
libsoup/soup-date-utils.c.
- CVE-2025-4945
-- Hlib Korzhynskyy <email address hidden> Mon, 14 Jul 2025 16:35:26 -0230
|
| Source diff to previous version |
| CVE-2025-32907 |
A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious c |
| CVE-2025-4948 |
A flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commonly used by GNOME and other application |
| CVE-2025-4969 |
A vulnerability was found in the libsoup package. This flaw stems from its failure to correctly verify the termination of multipart HTTP messages. Th |
| CVE-2025-4945 |
A flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises whe |
|
|
libsoup3 (3.4.4-5ubuntu0.4) noble-security; urgency=medium
* SECURITY UPDATE: Denial of service.
- debian/patches/CVE-2025-32908-1.patch: Add NULL checks with returns for
NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE in
./libsoup/server/http2/soup-server-message-io-http2.c.
- debian/patches/CVE-2025-32908-2.patch: Improve NULL checks in
./libsoup/server/http2/soup-server-message-io-http2.c.
- debian/patches/CVE-2025-4476.patch: Replace strcmp with g_strcmp0 in
./libsoup/auth/soup-auth-digest.c.
- CVE-2025-32908
- CVE-2025-4476
-- Hlib Korzhynskyy <email address hidden> Thu, 22 May 2025 15:14:07 -0230
|
| Source diff to previous version |
| CVE-2025-32908 |
A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which m |
| CVE-2025-4476 |
A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a |
|
|
libsoup3 (3.4.4-5ubuntu0.3) noble-security; urgency=medium
* SECURITY UPDATE: Out of bound read.
- debian/patches/CVE-2025-32906-*.patch: Add out of bound checks in
soup_headers_parse_request in ./libsoup/soup-headers.c.
- debian/patches/CVE-2025-32914.patch: Replace strstr operation with
g_strstr_len in ./libsoup/soup-multipart.c.
- CVE-2025-32906
- CVE-2025-32914
* SECURITY UPDATE: Null pointer dereference.
- debian/patches/CVE-2025-32909.patch: Add resource size check in
./libsoup/content-sniffer/soup-content-sniffer.c.
- debian/patches/CVE-2025-32910-32912-*.patch: Add checks for missing realm
and nonce, and fix memory leak in ./libsoup/auth/soup-auth-digest.c.
- debian/patches/CVE-2025-32912-*.patch: Add additional checks for nonce in
./libsoup/auth/soup-auth-digest.c.
- CVE-2025-32909
- CVE-2025-32910
- CVE-2025-32912
* SECURITY UPDATE: Memory corruption.
- debian/patches/CVE-2025-32911-32913-*.patch: Add checks for empty
filename in ./libsoup/soup-message-headers.c.
- CVE-2025-32911
- CVE-2025-32913
* SECURITY UPDATE: Memory leak.
- debian/patches/CVE-2025-46420.patch: Free allocated strings during
iteration in ./libsoup/soup-headers.c.
- CVE-2025-46420
* SECURITY UPDATE: Information exposure through host impersonation.
- debian/patches/CVE-2025-46421.patch: Strip credentials on cross-origin
redirects in ./libsoup/soup-session.c.
- CVE-2025-46421
-- Hlib Korzhynskyy <email address hidden> Wed, 30 Apr 2025 16:32:01 -0230
|
| CVE-2025-32906 |
A flaw was found in libsoup, where the soup_headers_parse_request() function may be vulnerable to an out-of-bound read. This flaw allows a malicious |
| CVE-2025-32914 |
A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a maliciou |
| CVE-2025-32909 |
A flaw was found in libsoup. SoupContentSniffer may be vulnerable to a NULL pointer dereference in the sniff_mp4 function. The HTTP server may cause |
| CVE-2025-32910 |
A flaw was found in libsoup, where soup_auth_digest_authenticate() is vulnerable to a NULL pointer dereference. This issue may cause the libsoup clie |
| CVE-2025-32912 |
A flaw was found in libsoup, where SoupAuthDigest is vulnerable to a NULL pointer dereference. The HTTP server may cause the libsoup client to crash. |
| CVE-2025-32911 |
A use-after-free type vulnerability was found in libsoup, in the soup_message_headers_get_content_disposition() function. This flaw allows a maliciou |
| CVE-2025-32913 |
A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw |
| CVE-2025-46420 |
A flaw was found in libsoup. It is vulnerable to memory leaks in the soup_header_parse_quality_list() function when parsing a quality list that conta |
| CVE-2025-46421 |
A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that |
|
About
-
Send Feedback to @ubuntu_updates
