USN-7127-1: libsoup3 vulnerabilities
27 November 2024
Several security issues were fixed in libsoup3.
Releases
Packages
- libsoup3 - GObject introspection data for the libsoup HTTP library
Details
It was discovered that libsoup ignored certain characters at the end of
header names. A remote attacker could possibly use this issue to perform
a HTTP request smuggling attack. This issue only affected Ubuntu 22.04 LTS
and Ubuntu 24.04 LTS. (CVE-2024-52530)
It was discovered that libsoup did not correctly handle memory while
performing UTF-8 conversions. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code. (CVE-2024-52531)
It was discovered that libsoup could enter an infinite loop when reading
certain websocket data. An attacker could possibly use this issue to
cause a denial of service. (CVE-2024-52532)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 24.10
Ubuntu 24.04
Ubuntu 22.04
-
libsoup-3.0-0
-
3.0.7-0ubuntu1+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-7126-1: libsoup-2.4-1, libsoup2.4-doc, libsoup-gnome2.4-dev, libsoup2.4, libsoup2.4-dev, libsoup2.4-common, libsoup2.4-1, libsoup-gnome-2.4-1, libsoup2.4-tests, gir1.2-soup-2.4, libsoup-gnome2.4-1