UbuntuUpdates.org

Package "libsoup3"

Name: libsoup3

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • GObject introspection data for the libsoup HTTP library
  • HTTP library implementation in C -- Shared library
  • HTTP library implementation in C -- Common files
  • HTTP library implementation in C -- Development files
Latest version: 3.6.5-4ubuntu0.2
Release: questing (25.10)
Level: updates
Repository: main

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "libsoup3" in Questing

Repository Area Version
base main 3.6.5-4
base universe 3.6.5-4
security main 3.6.5-4ubuntu0.2
security universe 3.6.5-4ubuntu0.2
updates universe 3.6.5-4ubuntu0.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.6.5-4ubuntu0.2 2026-02-09 04:08:04 UTC

  libsoup3 (3.6.5-4ubuntu0.2) questing-security; urgency=medium

  * SECURITY UPDATE: Carriage Return Line Feed Injection
    - debian/patches/CVE-2026-1467.patch: Do host validation when checking if
      a GUri is valid
    - debian/patches/CVE-2026-1536-pre1.patch: Reject duplicate host headers
    - debian/patches/CVE-2026-1536.patch: Always validate the headers value
      when coming from untrusted source
    - CVE-2026-1467
    - CVE-2026-1536
  * SECURITY UPDATE: Information Leak
    - debian/patches/CVE-2026-1539.patch: Also remove Proxy-Authorization
      header on cross origin redirect
    - CVE-2026-1539

 -- Bruce Cable <email address hidden> Mon, 02 Feb 2026 15:38:39 +1100
Source diff to previous version
CVE-2026-1467 A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP pro
CVE-2026-1536 A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) seq
CVE-2026-1539 A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTT

Version: 3.6.5-4ubuntu0.1 2025-12-15 21:14:14 UTC

  libsoup3 (3.6.5-4ubuntu0.1) questing-security; urgency=medium

  * SECURITY UPDATE: Use after free in HTTP/2 queues.
    - debian/patches/CVE-2025-12105.patch: Add SOUP_MESSAGE_FINISHED checks in
      libsoup/soup-session.c.
    - CVE-2025-12105

 -- Hlib Korzhynskyy <email address hidden> Thu, 11 Dec 2025 16:49:21 -0330
CVE-2025-12105 A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP


About   -   Send Feedback to @ubuntu_updates