Source: libsoup3 Version: 3.6.5-3 Severity: important Tags: security upstream Forwarded: https://gitlab.gnome.org/GNOME/libsoup/-/issues/475 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libsoup3. Filling mainly for tracking the upstream issue. CVE-2026-1760[0]: | A flaw was found in SoupServer. This HTTP request smuggling | vulnerability occurs because SoupServer improperly handles requests | that combine Transfer-Encoding: chunked and Connection: keep-alive | headers. A remote, unauthenticated client can exploit this by | sending specially crafted requests, causing SoupServer to fail to | close the connection as required by RFC 9112. This allows the | attacker to smuggle additional requests over the persistent | connection, leading to unintended request processing and potential | denial-of-service (DoS) conditions. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-1760 https://www.cve.org/CVERecord?id=CVE-2026-1760 [1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/475 [2] https://gitlab.gnome.org/GNOME/libsoup/-/commit/6224df5a471e9040a99dd3dc2e91817a701b1bf6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
