Security update for libsoup SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20105-1 Final 1 1 2025-02-03T09:17:47Z current 2025-02-03T09:17:47Z 2025-02-03T09:17:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libsoup This update for libsoup fixes the following issues: - CVE-2024-52530: Fixed HTTP request smuggling via stripping null bytes from the ends of header names (bsc#1233285). - CVE-2024-52531: Fixed buffer overflow via UTF-8 conversion in soup_header_parse_param_list_strict (bsc#1233292). - CVE-2024-52532: Fixed infinite loop while reading websocket data (bsc#1233287). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-165 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520105-1/ Link for SUSE-SU-2025:20105-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021216.html E-Mail link for SUSE-SU-2025:20105-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1233285 SUSE Bug 1233285 https://bugzilla.suse.com/1233287 SUSE Bug 1233287 https://bugzilla.suse.com/1233292 SUSE Bug 1233292 https://www.suse.com/security/cve/CVE-2024-52530/ SUSE CVE CVE-2024-52530 page https://www.suse.com/security/cve/CVE-2024-52531/ SUSE CVE CVE-2024-52531 page https://www.suse.com/security/cve/CVE-2024-52532/ SUSE CVE CVE-2024-52532 page SUSE Linux Micro 6.0 libsoup-3_0-0-3.4.2-5.1 libsoup-3_0-0-3.4.2-5.1 as a component of SUSE Linux Micro 6.0 GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header. CVE-2024-52530 SUSE Linux Micro 6.0:libsoup-3_0-0-3.4.2-5.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520105-1/ https://www.suse.com/security/cve/CVE-2024-52530.html CVE-2024-52530 https://bugzilla.suse.com/1233285 SUSE Bug 1233285 GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There is a plausible way to reach this remotely via soup_message_headers_get_content_type (e.g., an application may want to retrieve the content type of a request or response). CVE-2024-52531 SUSE Linux Micro 6.0:libsoup-3_0-0-3.4.2-5.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520105-1/ https://www.suse.com/security/cve/CVE-2024-52531.html CVE-2024-52531 https://bugzilla.suse.com/1233285 SUSE Bug 1233285 https://bugzilla.suse.com/1233292 SUSE Bug 1233292 GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients. CVE-2024-52532 SUSE Linux Micro 6.0:libsoup-3_0-0-3.4.2-5.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520105-1/ https://www.suse.com/security/cve/CVE-2024-52532.html CVE-2024-52532 https://bugzilla.suse.com/1233285 SUSE Bug 1233285 https://bugzilla.suse.com/1233287 SUSE Bug 1233287