libsoup-2.62.2-2.0.1.0.5.el7.AXS7

エラータID: AXSA:2025-10698:12

Release date: 
Wednesday, August 6, 2025 - 13:57
Subject: 
libsoup-2.62.2-2.0.1.0.5.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Libsoup is an HTTP library implementation in C. It was originally part
of a SOAP (Simple Object Access Protocol) implementation called Soup, but
the SOAP and non-SOAP parts have now been split into separate packages.

libsoup uses the Glib main loop and is designed to work well with GTK
applications. This enables GNOME applications to access HTTP servers
on the network in a completely asynchronous fashion, very similar to
the Gtk+ programming model (a synchronous operation mode is also
supported for those who want it).

Security Fix(es):

* CVE-2025-32050: fix overflow in append_param_quoted()
* CVE-2025-32052: fix heap buffer overflow in soup_content_sniffer_sniff()
* CVE-2025-32053: fix heap buffer overflow in sniff_feed_or_html()
* CVE-2025-32907: soup-message-headers: correct merge of ranges
* CVE-2025-46420: fix leak in soup_header_parse_quality_list()
* CVE-2025-46421: strip authentication credentails on cross-origin redirect
* CVE-2025-2784: fix heap buffer over-read when sniffing content via the
skip_insight_whitespace() function

CVE(s):
CVE-2025-32052
CVE-2025-46420
CVE-2025-32053
CVE-2025-32050
CVE-2025-2784
CVE-2025-32907
CVE-2025-46421

Solution: 

Update packages.

CVEs: 
CVE-2025-2784
A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.
CVE-2025-32050
A flaw was found in libsoup. The libsoup append_param_quoted() function may contain an overflow bug resulting in a buffer under-read.
CVE-2025-32052
A flaw was found in libsoup. A vulnerability in the sniff_unknown() function may lead to heap buffer over-read.
CVE-2025-32053
A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read.
CVE-2025-32907
A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.
CVE-2025-46420
A flaw was found in libsoup. It is vulnerable to memory leaks in the soup_header_parse_quality_list() function when parsing a quality list that contains elements with all zeroes.
CVE-2025-46421
A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.
Additional Info: 

N/A

Download: 

SRPMS
  1. libsoup-2.62.2-2.0.1.0.5.el7.AXS7.src.rpm not found

Asianux Server 7 for x86_64
  1. libsoup-2.62.2-2.0.1.0.5.el7.AXS7.i686.rpm
    MD5: b03b7e75634d38cb8e2fc7c07f9ea944
    SHA-256: 66e85064ddfe88f5a764a79dc088d3f2f0cee4e60b620089877f7127cd4e32f5
    Size: 396.53 kB
  2. libsoup-2.62.2-2.0.1.0.5.el7.AXS7.x86_64.rpm
    MD5: 294d17f9bc8a838516662b78074827a9
    SHA-256: dfb32275e4d3b648f99d7145766ce3073f67677dafbdb99c8e727eac44f87a71
    Size: 411.84 kB
  3. libsoup-devel-2.62.2-2.0.1.0.5.el7.AXS7.i686.rpm
    MD5: 794f7705a5162e343581d6216224f4f0
    SHA-256: 9de02a12e7758b9ef89dec26058cd63eb52c7e8b33f1203f6d639cf8c80c9f99
    Size: 310.87 kB
  4. libsoup-devel-2.62.2-2.0.1.0.5.el7.AXS7.x86_64.rpm
    MD5: 2c3f46c403b337386721a2ecfed06848
    SHA-256: 977ecfd198933056e4e6217495b5f6f8736d9493d875e2195e343ce4c4861384
    Size: 310.85 kB