Bug#1088812: libsoup2.4: CVE-2024-52530
Moritz Mühlenhoff
jmm at inutil.org
Sun Dec 1 16:44:49 GMT 2024
Source: libsoup2.4
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for libsoup2.4.
CVE-2024-52530[0]:
| GNOME libsoup before 3.6.0 allows HTTP request smuggling in some
| configurations because '\0' characters at the end of header names
| are ignored, i.e., a "Transfer-Encoding\0: chunked" header is
| treated the same as a "Transfer-Encoding: chunked" header.
https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b (3.5.2)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-52530
https://www.cve.org/CVERecord?id=CVE-2024-52530
Please adjust the affected versions in the BTS as needed.
More information about the pkg-gnome-maintainers
mailing list