Overview

File _patchinfo of Package patchinfo.42858

<patchinfo incident="42858">
  <!--generated with prepare-update from request 402464-->
  <issue tracker="bnc" id="1240751">VUL-0: CVE-2025-32049: libsoup: Denial of Service attack to websocket server</issue>
  <issue tracker="bnc" id="1257398">VUL-0: CVE-2026-1467: libsoup,libsoup2: lack of input sanitization can lead to unintended or unauthorized HTTP requests</issue>
  <issue tracker="bnc" id="1257441">VUL-0: CVE-2026-1539: libsoup,libsoup2: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects</issue>
  <issue tracker="bnc" id="1257597">VUL-0: CVE-2026-1760: libsoup,libsoup2: improper handling of HTTP requests combining certain headers by SoupServer can lead to HTTP request smuggling and potential DoS</issue>
  <issue tracker="bnc" id="1258120">VUL-0: CVE-2026-2369: libsoup,libsoup2: Buffer overread due to integer underflow when handling zero-length resources</issue>
  <issue tracker="bnc" id="1258170">VUL-0: CVE-2026-2443: libsoup,libsoup2: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information disclosure to remote attackers</issue>
  <issue tracker="bnc" id="1258508">VUL-0: CVE-2026-2708: libsoup,libsoup2: HTTP request smuggling via duplicate Content-Length headers</issue>
  <issue tracker="cve" id="2025-32049"/>
  <issue tracker="cve" id="2026-1467"/>
  <issue tracker="cve" id="2026-1539"/>
  <issue tracker="cve" id="2026-1760"/>
  <issue tracker="cve" id="2026-2369"/>
  <issue tracker="cve" id="2026-2443"/>
  <issue tracker="cve" id="2026-2708"/>
  <category>security</category>
  <rating>important</rating>
  <packager>mgorse</packager>
  <summary>Security update for libsoup2</summary>
  <description>This update for libsoup2 fixes the following issues:

- CVE-2025-32049: denial of service attack to websocket server (bsc#1240751).
- CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests (bsc#1257398).
- CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects
  (bsc#1257441).
- CVE-2026-1760: improper handling of HTTP requests combining certain headers by SoupServer can lead to HTTP request
  smuggling and potential DoS (bsc#1257597).
- CVE-2026-2369: buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).
- CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information
  disclosure to remote attackers (bsc#1258170).
- CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places