ALAS2023-2026-1439

References: CVE-2025-32050  CVE-2025-32052  CVE-2025-32053  CVE-2025-32909  CVE-2025-32910 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in libsoup. The libsoup append_param_quoted() function may contain an overflow bug resulting in a buffer under-read. (CVE-2025-32050)

A flaw was found in libsoup. A vulnerability in the sniff_unknown() function may lead to heap buffer over-read. (CVE-2025-32052)

A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read. (CVE-2025-32053)

A flaw was found in libsoup. SoupContentSniffer may be vulnerable to a NULL pointer dereference in the sniff_mp4 function. The HTTP server may cause the libsoup client to crash. (CVE-2025-32909)

A flaw was found in libsoup, where soup_auth_digest_authenticate() is vulnerable to a NULL pointer dereference. This issue may cause the libsoup client to crash. (CVE-2025-32910)

Issue Correction:
Run dnf update libsoup --releasever 2023.10.20260216 or dnf update --advisory ALAS2023-2026-1439 --releasever 2023.10.20260216 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    libsoup-debugsource-2.72.0-6.amzn2023.0.11.aarch64
    libsoup-2.72.0-6.amzn2023.0.11.aarch64
    libsoup-devel-2.72.0-6.amzn2023.0.11.aarch64
    libsoup-debuginfo-2.72.0-6.amzn2023.0.11.aarch64

noarch:
    libsoup-doc-2.72.0-6.amzn2023.0.11.noarch

src:
    libsoup-2.72.0-6.amzn2023.0.11.src

x86_64:
    libsoup-devel-2.72.0-6.amzn2023.0.11.x86_64
    libsoup-debuginfo-2.72.0-6.amzn2023.0.11.x86_64
    libsoup-debugsource-2.72.0-6.amzn2023.0.11.x86_64
    libsoup-2.72.0-6.amzn2023.0.11.x86_64