On 11/9/24 10:45, Alan Coopersmith wrote:
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/home lists four security vulnerabilities reported against libsoup since June 2024, none of which have CVE id's listed as being assigned. (For those not familiar with it, libsoup is an HTTP client/server library for the GNOME desktop.)
It appears that Mitre issued CVE id's for the first 3 of these yesterday:
1) Request smuggling via stripping of null bytes from the ends of header names https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
https://www.cve.org/CVERecord?id=CVE-2024-52530
2) headers: Be more robust against invalid input when parsing params https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407
https://www.cve.org/CVERecord?id=CVE-2024-52531
3) Infinite loop while reading websocket data https://gitlab.gnome.org/GNOME/libsoup/-/issues/391
https://www.cve.org/CVERecord?id=CVE-2024-52532 -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
