Amazon Linux 2023 Security Advisory: ALAS2023-2026-1460
Advisory Released Date: 2026-03-05
Advisory Updated Date: 2026-03-05
A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction. (CVE-2026-1536)
A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data. (CVE-2026-1539)
libsoup: heap buffer overflow in soup_content_sniffer_sniff (CVE-2026-2369)
Affected Packages:
libsoup3
Issue Correction:
Run dnf update libsoup3 --releasever 2023.10.20260302 or dnf update --advisory ALAS2023-2026-1460 --releasever 2023.10.20260302 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
libsoup3-debuginfo-3.6.5-56.amzn2023.aarch64
libsoup3-devel-3.6.5-56.amzn2023.aarch64
libsoup3-3.6.5-56.amzn2023.aarch64
libsoup3-debugsource-3.6.5-56.amzn2023.aarch64
noarch:
libsoup3-doc-3.6.5-56.amzn2023.noarch
src:
libsoup3-3.6.5-56.amzn2023.src
x86_64:
libsoup3-debuginfo-3.6.5-56.amzn2023.x86_64
libsoup3-devel-3.6.5-56.amzn2023.x86_64
libsoup3-debugsource-3.6.5-56.amzn2023.x86_64
libsoup3-3.6.5-56.amzn2023.x86_64