Updated libsoup3 & libsoup packages fix security vulnerabilities
Publication date: 05 Nov 2025Modification date: 05 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-2784 , CVE-2025-32049 , CVE-2025-32050 , CVE-2025-32051 , CVE-2025-32052 , CVE-2025-32053 , CVE-2025-32906 , CVE-2025-32907 , CVE-2025-32908 , CVE-2025-32909 , CVE-2025-32910 , CVE-2025-32911 , CVE-2025-32912 , CVE-2025-32913 , CVE-2025-32914
Description
Libsoup: heap buffer over-read in `skip_insignificant_space` when
sniffing content. (CVE-2025-2784)
Libsoup: denial of service attack to websocket server. (CVE-2025-32049)
Libsoup: integer overflow in append_param_quoted. (CVE-2025-32050)
Libsoup: segmentation fault when parsing malformed data uri.
(CVE-2025-32051)
Libsoup: heap buffer overflow in sniff_unknown(). (CVE-2025-32052)
Libsoup: heap buffer overflows in sniff_feed_or_html() and
skip_insignificant_space(). (CVE-2025-32053)
Libsoup: out of bounds reads in soup_headers_parse_request().
(CVE-2025-32906)
Libsoup: denial of service in server when client requests a large amount
of overlapping ranges with range header. (CVE-2025-32907)
Libsoup: denial of service on libsoup through http/2 server.
(CVE-2025-32908)
Libsoup: null pointer dereference on libsoup through function
"sniff_mp4" in soup-content-sniffer.c. (CVE-2025-32909)
Libsoup: null pointer deference on libsoup via /auth/soup-auth-digest.c
through "soup_auth_digest_authenticate" on client when server omits the
"realm" parameter in an unauthorized response with digest
authentication. (CVE-2025-32910)
Libsoup: double free on soup_message_headers_get_content_disposition()
through "soup-message-headers.c" via "params" ghashtable value.
(CVE-2025-32911)
Libsoup: null pointer dereference in client when server omits the
"nonce" parameter in an unauthorized response with digest
authentication. (CVE-2025-32912)
Libsoup: null pointer dereference in
soup_message_headers_get_content_disposition when "filename" parameter
is present, but has no value in content-disposition header.
(CVE-2025-32913)
Libsoup: oob read on libsoup through function
"soup_multipart_new_from_message" in soup-multipart.c leads to crash or
exit of process. (CVE-2025-32914)
Libsoup: memory leak on soup_header_parse_quality_list() via
soup-headers.c. (CVE-2025-46420)
Libsoup: information disclosure may leads libsoup client sends
authorization header to a different host when being redirected by a
server. (CVE-2025-46421)
Libsoup: null pointer dereference in libsoup may lead to denial of
service. (CVE-2025-4476)
Libsoup: integer overflow in cookie expiration date handling in libsoup.
(CVE-2025-4945)
References
- https://bugs.mageia.org/show_bug.cgi?id=34187
- https://ubuntu.com/security/notices/USN-7432-1
- https://openwall.com/lists/oss-security/2025/04/18/4
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/53THXHSDPP4TLMFRSP5DPLY4DK72M7XY/
- https://ubuntu.com/security/notices/USN-7543-1
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NK7USYFSJPRTIVISSEDBLS53JCM5ETOI/
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/EPLHUVQI4JICGWTVGG7KI7D4BMHB34YD/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2784
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32049
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32050
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32051
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32052
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32053
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32906
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32907
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32908
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32909
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32910
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32911
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32912
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32913
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32914
SRPMS
9/core
- libsoup3-3.4.2-1.2.mga9
- libsoup-2.74.3-1.2.mga9