Amazon Linux 2023 Security Advisory: ALAS-2024-772
Advisory Release Date: 2024-12-05 20:34 Pacific
Advisory Updated Date: 2024-12-16 13:30 Pacific
Severity:
Important
References:
CVE-2024-52530
CVE-2024-52531
CVE-2024-52532
FAQs regarding Amazon Linux ALAS/CVE Severity
FAQs regarding Amazon Linux ALAS/CVE Severity
Issue Overview:
GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header. (CVE-2024-52530)
GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. Input received over the network cannot trigger this. (CVE-2024-52531)
GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients. (CVE-2024-52532)
Affected Packages:
libsoup
Issue Correction:
Run dnf update libsoup --releasever 2023.6.20241212 to update your system.
New Packages:
aarch64:
libsoup-debuginfo-2.72.0-6.amzn2023.0.3.aarch64
libsoup-debugsource-2.72.0-6.amzn2023.0.3.aarch64
libsoup-devel-2.72.0-6.amzn2023.0.3.aarch64
libsoup-2.72.0-6.amzn2023.0.3.aarch64
noarch:
libsoup-doc-2.72.0-6.amzn2023.0.3.noarch
src:
libsoup-2.72.0-6.amzn2023.0.3.src
x86_64:
libsoup-debuginfo-2.72.0-6.amzn2023.0.3.x86_64
libsoup-devel-2.72.0-6.amzn2023.0.3.x86_64
libsoup-2.72.0-6.amzn2023.0.3.x86_64
libsoup-debugsource-2.72.0-6.amzn2023.0.3.x86_64