[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3992-1] libsoup2.4 security update



-------------------------------------------------------------------------
Debian LTS Advisory DLA-3992-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Sean Whitton
December 12, 2024                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : libsoup2.4
Version        : 2.72.0-2+deb11u1
CVE ID         : CVE-2024-52530 CVE-2024-52531 CVE-2024-52532
Debian Bug     : 1088812 1089238 1089240

Multiple vulnerabilities were discovered in libsoup2.4, an HTTP library
for Gtk+ programs.

CVE-2024-52530

    In some configurations, HTTP request smuggling is possible because
    null characters at the end of the names of HTTP headers were
    ignored.

CVE-2024-52531

    There was a buffer overflow in applications that perform conversion
    to UTF-8 in soup_header_parse_param_list_strict.  This could lead to
    memory corruption, crashes or information disclosure.
    (Contrary to the CVE description, it is now believed that input
    received over the network could trigger this.)

CVE-2024-52532

    An infinite loop in the processing of WebSocket data from clients
    could lead to a denial-of-service problem through memory exhaustion.

For Debian 11 bullseye, these problems have been fixed in version
2.72.0-2+deb11u1.

We recommend that you upgrade your libsoup2.4 packages.

For the detailed security status of libsoup2.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libsoup2.4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature


Reply to: