libsoup-2_4-1-2.74.3-9.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16106 Final 1 1 2025-05-01T00:00:00Z current 2025-05-01T00:00:00Z 2025-05-01T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libsoup-2_4-1-2.74.3-9.1 on GA media These are all security issues fixed in the libsoup-2_4-1-2.74.3-9.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16106 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-32907/ SUSE CVE CVE-2025-32907 page https://www.suse.com/security/cve/CVE-2025-32914/ SUSE CVE CVE-2025-32914 page https://www.suse.com/security/cve/CVE-2025-46420/ SUSE CVE CVE-2025-46420 page https://www.suse.com/security/cve/CVE-2025-46421/ SUSE CVE CVE-2025-46421 page openSUSE Tumbleweed libsoup-2_4-1-2.74.3-9.1 libsoup-2_4-1-32bit-2.74.3-9.1 libsoup2-devel-2.74.3-9.1 libsoup2-devel-32bit-2.74.3-9.1 libsoup2-lang-2.74.3-9.1 typelib-1_0-Soup-2_4-2.74.3-9.1 libsoup-2_4-1-2.74.3-9.1 as a component of openSUSE Tumbleweed libsoup-2_4-1-32bit-2.74.3-9.1 as a component of openSUSE Tumbleweed libsoup2-devel-2.74.3-9.1 as a component of openSUSE Tumbleweed libsoup2-devel-32bit-2.74.3-9.1 as a component of openSUSE Tumbleweed libsoup2-lang-2.74.3-9.1 as a component of openSUSE Tumbleweed typelib-1_0-Soup-2_4-2.74.3-9.1 as a component of openSUSE Tumbleweed A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service. CVE-2025-32907 openSUSE Tumbleweed:libsoup-2_4-1-2.74.3-9.1 openSUSE Tumbleweed:libsoup-2_4-1-32bit-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-devel-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-devel-32bit-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-lang-2.74.3-9.1 openSUSE Tumbleweed:typelib-1_0-Soup-2_4-2.74.3-9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-32907.html CVE-2025-32907 https://bugzilla.suse.com/1241222 SUSE Bug 1241222 A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds. CVE-2025-32914 openSUSE Tumbleweed:libsoup-2_4-1-2.74.3-9.1 openSUSE Tumbleweed:libsoup-2_4-1-32bit-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-devel-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-devel-32bit-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-lang-2.74.3-9.1 openSUSE Tumbleweed:typelib-1_0-Soup-2_4-2.74.3-9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-32914.html CVE-2025-32914 https://bugzilla.suse.com/1241164 SUSE Bug 1241164 A flaw was found in libsoup. It is vulnerable to memory leaks in the soup_header_parse_quality_list() function when parsing a quality list that contains elements with all zeroes. CVE-2025-46420 openSUSE Tumbleweed:libsoup-2_4-1-2.74.3-9.1 openSUSE Tumbleweed:libsoup-2_4-1-32bit-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-devel-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-devel-32bit-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-lang-2.74.3-9.1 openSUSE Tumbleweed:typelib-1_0-Soup-2_4-2.74.3-9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-46420.html CVE-2025-46420 https://bugzilla.suse.com/1241686 SUSE Bug 1241686 A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect. CVE-2025-46421 openSUSE Tumbleweed:libsoup-2_4-1-2.74.3-9.1 openSUSE Tumbleweed:libsoup-2_4-1-32bit-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-devel-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-devel-32bit-2.74.3-9.1 openSUSE Tumbleweed:libsoup2-lang-2.74.3-9.1 openSUSE Tumbleweed:typelib-1_0-Soup-2_4-2.74.3-9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-46421.html CVE-2025-46421 https://bugzilla.suse.com/1241688 SUSE Bug 1241688