| Package | libsoup2.4 |
|---|---|
| Version | 2.48.0-1+deb8u3 (jessie), 2.56.0-2+deb9u3 (stretch), 2.64.2-2+deb10u1 (buster) |
| Related CVEs | CVE-2024-52530 CVE-2024-52531 CVE-2024-52532 |
Multiple vulnerabilities were discovered in libsoup2.4, an HTTP library for Gtk+ programs.
CVE-2024-52530
In some configurations, HTTP request smuggling is possible because null characters at the end of the names of HTTP headers were ignored.
CVE-2024-52531
There was a buffer overflow in applications that perform conversion to
UTF-8 in soup_header_parse_param_list_strict. This could lead to memory
corruption, crashes or information disclosure. (Contrary to the CVE
description, it is now believed that input received over the network could
trigger this.)
CVE-2024-52532
An infinite loop in the processing of WebSocket data from clients could lead to a denial-of-service problem through memory exhaustion.
For Debian 10 buster, these problems have been fixed in version 2.64.2-2+deb10u1.
For Debian 8 jessie, these problems have been fixed in version 2.48.0-1+deb8u3.
For Debian 9 stretch, these problems have been fixed in version 2.56.0-2+deb9u3.
We recommend that you upgrade your libsoup2.4 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.