Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Fedora 39: FEDORA-2024-a059ea1dfc moderate: libsoup3 HTTP issues

fedora
Calendar Grey November 26, 2024
Dist Fedora Esm H88
Update for Fedora 39 users to resolve the issues of HTTP request smuggling and infinite loops in libsoup3. Use the dnf package manager for installation and updates.
Add patches to fix: CVE-2024-52530 libsoup3: HTTP request smuggling via stripping null bytes from the ends of header names (bug #2325358) CVE-2024-52532 libsoup3: infinite loop whi...

Summary

Libsoup is an HTTP library implementation in C. It was originally part

of a SOAP (Simple Object Access Protocol) implementation called Soup, but

the SOAP and non-SOAP parts have now been split into separate packages.

libsoup uses the Glib main loop and is designed to work well with GTK

applications. This enables GNOME applications to access HTTP servers

on the network in a completely asynchronous fashion, very similar to

the Gtk+ programming model (a synchronous operation mode is also

supported for those who want it), but the SOAP parts were removed

long ago.

Update Information:

Add patches to fix: CVE-2024-52530 libsoup3: HTTP request smuggling via stripping null bytes from the ends of header names (bug #2325358) CVE-2024-52532 libsoup3: infinite loop while reading websocket data (bug #2325356)

Topics%20covered

Topics Covered

security advisory Fedora update information infinite loop HTTP smuggling libsoup3

Change Log

* Tue Nov 12 2024 Milan Crha - 3.4.4-3 - Add a patch to fix CVE-2024-52532 (infinite loop while reading websocket data) * Tue Nov 12 2024 Milan Crha - 3.4.4-2 - Add a patch to fix CVE-2024-52530 (headers: Strictly don't allow NUL bytes)

References


[ 1 ] Bug #2325356 - CVE-2024-52532 libsoup3: infinite loop while reading websocket data [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2325356 [ 2 ] Bug #2325358 - CVE-2024-52530 libsoup3: HTTP request smuggling via stripping null bytes from the ends of header names [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2325358

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-a059ea1dfc' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: libsoup3
Product: Fedora 39
Version: 3.4.4
Release: 3.fc39
URL: https://wiki.gnome.org/Projects/libsoup
Summary: Soup, an HTTP library implementation

Topics%20covered

Topics Covered

security advisory Fedora update information infinite loop HTTP smuggling libsoup3

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here