Red Hat Product Errata RHSA-2025:9179 - Security Advisory
Issued:
2025-06-17
Updated:
2025-06-17

RHSA-2025:9179 - Security Advisory

Synopsis

Important: libsoup security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for libsoup is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The libsoup packages provide an HTTP client and server library for GNOME.

Security Fix(es):

  • libsoup: Heap buffer over-read in `skip_insignificant_space` when sniffing content (CVE-2025-2784)
  • libsoup: Denial of Service attack to websocket server (CVE-2025-32049)
  • libsoup: Out of bounds reads in soup_headers_parse_request() (CVE-2025-32906)
  • libsoup: Double free on soup_message_headers_get_content_disposition() through "soup-message-headers.c" via "params" GHashTable value (CVE-2025-32911)
  • libsoup: NULL pointer dereference in soup_message_headers_get_content_disposition when "filename" parameter is present, but has no value in Content-Disposition header (CVE-2025-32913)
  • libsoup: OOB Read on libsoup through function "soup_multipart_new_from_message" in soup-multipart.c leads to crash or exit of process (CVE-2025-32914)
  • libsoup: Integer Underflow in soup_multipart_new_from_message() Leading to Denial of Service in libsoup (CVE-2025-4948)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le

Fixes

  • BZ - 2354669 - CVE-2025-2784 libsoup: Heap buffer over-read in `skip_insignificant_space` when sniffing content
  • BZ - 2357066 - CVE-2025-32049 libsoup: Denial of Service attack to websocket server
  • BZ - 2359341 - CVE-2025-32906 libsoup: Out of bounds reads in soup_headers_parse_request()
  • BZ - 2359355 - CVE-2025-32911 libsoup: Double free on soup_message_headers_get_content_disposition() through "soup-message-headers.c" via "params" GHashTable value
  • BZ - 2359357 - CVE-2025-32913 libsoup: NULL pointer dereference in soup_message_headers_get_content_disposition when "filename" parameter is present, but has no value in Content-Disposition header
  • BZ - 2359358 - CVE-2025-32914 libsoup: OOB Read on libsoup through function "soup_multipart_new_from_message" in soup-multipart.c leads to crash or exit of process
  • BZ - 2367183 - CVE-2025-4948 libsoup: Integer Underflow in soup_multipart_new_from_message() Leading to Denial of Service in libsoup

Red Hat Enterprise Linux Server - Extended Life Cycle Support 7

SRPM
libsoup-2.62.2-6.el7_9.src.rpm SHA-256: ec8273393fbc1090dec981e882cdc325811c8e32c00743673a6b51ab6af9f9d3
x86_64
libsoup-2.62.2-6.el7_9.i686.rpm SHA-256: c2e1a4c90846405ef7773dd2a477b6c2e99cf6e12f0eb541dbad0fa453a594df
libsoup-2.62.2-6.el7_9.x86_64.rpm SHA-256: 1d1bbdaddff8c3b7cbcf4c193cb476a1d4a93d91151a421d3f731ea2e1e6ab31
libsoup-debuginfo-2.62.2-6.el7_9.i686.rpm SHA-256: dcbca3521ada64c2761e57bef2a15d8dbc0f483fc9d1cf34bceb25febc456a23
libsoup-debuginfo-2.62.2-6.el7_9.x86_64.rpm SHA-256: cf0f789600b67e331f5352dc73d5030aa34c0d4ae367d4e1412b966f46d75691
libsoup-devel-2.62.2-6.el7_9.i686.rpm SHA-256: 3a88d5ad574ce90cddd3fbb2bc2baa691a04c5c00bc444db75de74ab7170bef2
libsoup-devel-2.62.2-6.el7_9.x86_64.rpm SHA-256: 4fab0fcad0ce9c1f0b1884e9180dd86163883609f5b7b93fd60b2c20df998a9c

Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7

SRPM
libsoup-2.62.2-6.el7_9.src.rpm SHA-256: ec8273393fbc1090dec981e882cdc325811c8e32c00743673a6b51ab6af9f9d3
s390x
libsoup-2.62.2-6.el7_9.s390x.rpm SHA-256: 3eaf47228e35e47851e99f5d7c9be357dcd210c46f6262e87cf8dc16bf097116
libsoup-debuginfo-2.62.2-6.el7_9.s390x.rpm SHA-256: 5dd2e369a142f74dce7d5d1c04bfdb10ee8487d44b7e21f4a790747289922078
libsoup-devel-2.62.2-6.el7_9.s390x.rpm SHA-256: cbbb85da3ce7b6479eeb8e3f6c6b7f10d96a162db750a9bb6c681a45e27e876b

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7

SRPM
libsoup-2.62.2-6.el7_9.src.rpm SHA-256: ec8273393fbc1090dec981e882cdc325811c8e32c00743673a6b51ab6af9f9d3
ppc64
libsoup-2.62.2-6.el7_9.ppc64.rpm SHA-256: 7dcf9417070d0cb36654e9b4b42a149bd9d17d18c7f9058407b116f148aecd98
libsoup-debuginfo-2.62.2-6.el7_9.ppc64.rpm SHA-256: 1c69176facf93f00babb33cdbb3513a61b74166b262cb920cc3396632e785474
libsoup-devel-2.62.2-6.el7_9.ppc64.rpm SHA-256: bbc5f2e67ff48a4c2179bf0eb0bc9d5fa45d909c27e992d4b7f333498f16e2f9

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7

SRPM
libsoup-2.62.2-6.el7_9.src.rpm SHA-256: ec8273393fbc1090dec981e882cdc325811c8e32c00743673a6b51ab6af9f9d3
ppc64le
libsoup-2.62.2-6.el7_9.ppc64le.rpm SHA-256: 4cf0d8be4d75d48e09ac252822836b59f053e6bb5a5b836198bc000503a7682e
libsoup-debuginfo-2.62.2-6.el7_9.ppc64le.rpm SHA-256: c780732fd05b4c4436df387034abe1b5b99c1e3415705845365d360212c4aaf4
libsoup-devel-2.62.2-6.el7_9.ppc64le.rpm SHA-256: f1cac89b8f2063f9e344d80c0154aa96fa38fb0267f630600d047a424ecc0f62

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.