Security update for libsoup2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0253-1 Final 1 1 2026-01-22T16:08:05Z current 2026-01-22T16:08:05Z 2026-01-22T16:08:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libsoup2 This update for libsoup2 fixes the following issues: - CVE-2025-14523: Reject duplicated Host in headers and followed upstream update (bsc#1254876). - CVE-2026-0719: Fixed overflow for password md4sum (bsc#1256399) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-253,SUSE-SLE-Module-Basesystem-15-SP7-2026-253,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-253,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-253,openSUSE-SLE-15.6-2026-253 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260253-1/ Link for SUSE-SU-2026:0253-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023895.html E-Mail link for SUSE-SU-2026:0253-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1254876 SUSE Bug 1254876 https://bugzilla.suse.com/1256399 SUSE Bug 1256399 https://www.suse.com/security/cve/CVE-2025-14523/ SUSE CVE CVE-2025-14523 page https://www.suse.com/security/cve/CVE-2026-0719/ SUSE CVE CVE-2026-0719 page SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP6-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP6 openSUSE Leap 15.6 libsoup-2_4-1-2.74.3-150600.4.19.1 libsoup-2_4-1-32bit-2.74.3-150600.4.19.1 libsoup-2_4-1-64bit-2.74.3-150600.4.19.1 libsoup2-devel-2.74.3-150600.4.19.1 libsoup2-devel-32bit-2.74.3-150600.4.19.1 libsoup2-devel-64bit-2.74.3-150600.4.19.1 libsoup2-lang-2.74.3-150600.4.19.1 typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 libsoup-2_4-1-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsoup2-devel-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsoup2-lang-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsoup-2_4-1-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS libsoup2-devel-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS libsoup2-lang-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Server 15 SP6-LTSS libsoup-2_4-1-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 libsoup2-devel-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 libsoup2-lang-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 libsoup-2_4-1-2.74.3-150600.4.19.1 as a component of openSUSE Leap 15.6 libsoup-2_4-1-32bit-2.74.3-150600.4.19.1 as a component of openSUSE Leap 15.6 libsoup2-devel-2.74.3-150600.4.19.1 as a component of openSUSE Leap 15.6 libsoup2-devel-32bit-2.74.3-150600.4.19.1 as a component of openSUSE Leap 15.6 libsoup2-lang-2.74.3-150600.4.19.1 as a component of openSUSE Leap 15.6 typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 as a component of openSUSE Leap 15.6 A flaw in libsoup's HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers. CVE-2025-14523 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsoup-2_4-1-2.74.3-150600.4.19.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsoup2-devel-2.74.3-150600.4.19.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsoup2-lang-2.74.3-150600.4.19.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server 15 SP6-LTSS:libsoup-2_4-1-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server 15 SP6-LTSS:libsoup2-devel-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server 15 SP6-LTSS:libsoup2-lang-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server 15 SP6-LTSS:typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:libsoup-2_4-1-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:libsoup2-devel-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:libsoup2-lang-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 openSUSE Leap 15.6:libsoup-2_4-1-2.74.3-150600.4.19.1 openSUSE Leap 15.6:libsoup-2_4-1-32bit-2.74.3-150600.4.19.1 openSUSE Leap 15.6:libsoup2-devel-2.74.3-150600.4.19.1 openSUSE Leap 15.6:libsoup2-devel-32bit-2.74.3-150600.4.19.1 openSUSE Leap 15.6:libsoup2-lang-2.74.3-150600.4.19.1 openSUSE Leap 15.6:typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260253-1/ https://www.suse.com/security/cve/CVE-2025-14523.html CVE-2025-14523 https://bugzilla.suse.com/1254876 SUSE Bug 1254876 A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk. CVE-2026-0719 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsoup-2_4-1-2.74.3-150600.4.19.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsoup2-devel-2.74.3-150600.4.19.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsoup2-lang-2.74.3-150600.4.19.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server 15 SP6-LTSS:libsoup-2_4-1-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server 15 SP6-LTSS:libsoup2-devel-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server 15 SP6-LTSS:libsoup2-lang-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server 15 SP6-LTSS:typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:libsoup-2_4-1-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:libsoup2-devel-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:libsoup2-lang-2.74.3-150600.4.19.1 SUSE Linux Enterprise Server for SAP Applications 15 SP6:typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 openSUSE Leap 15.6:libsoup-2_4-1-2.74.3-150600.4.19.1 openSUSE Leap 15.6:libsoup-2_4-1-32bit-2.74.3-150600.4.19.1 openSUSE Leap 15.6:libsoup2-devel-2.74.3-150600.4.19.1 openSUSE Leap 15.6:libsoup2-devel-32bit-2.74.3-150600.4.19.1 openSUSE Leap 15.6:libsoup2-lang-2.74.3-150600.4.19.1 openSUSE Leap 15.6:typelib-1_0-Soup-2_4-2.74.3-150600.4.19.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260253-1/ https://www.suse.com/security/cve/CVE-2026-0719.html CVE-2026-0719 https://bugzilla.suse.com/1256399 SUSE Bug 1256399