{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2025-4948: fix integer underflow in soup_multipart_new_from_message()\n- CVE-2025-32049: fix Denial of Service attack to websocket server\n- CVE-2025-32914: fix OOB Read through soup_multipart_new_from_message()", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos7els/advisories/2025/clsa-2025_1762792127.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1762792127", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1762792127" } ], "tracking": { "current_release_date": "2025-11-21T10:27:57Z", "generator": { "date": "2025-11-21T10:27:57Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1762792127", "initial_release_date": "2025-11-10T16:28:52Z", "revision_history": [ { "date": "2025-11-10T16:28:52Z", "number": "1", "summary": "Initial version" }, { "date": "2025-11-21T10:27:57Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "libsoup: Fix of 3 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 7", "product": { "name": "Community Enterprise Operating System 7", "product_id": "CentOS-7", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "product": { "name": "libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "product_id": "libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libsoup@2.62.2-2.0.5.el7.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "product": { "name": "libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "product_id": "libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libsoup-devel@2.62.2-2.0.5.el7.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "product": { "name": "libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "product_id": "libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libsoup@2.62.2-2.0.5.el7.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "product": { "name": "libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "product_id": "libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libsoup-devel@2.62.2-2.0.5.el7.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686" }, "product_reference": "libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64" }, "product_reference": "libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686" }, "product_reference": "libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64" }, "product_reference": "libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-32914", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-32914" } ], "release_date": "2025-04-14T00:00:00Z", "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-4948", "cwe": { "id": "CWE-191", "name": "Integer Underflow (Wrap or Wraparound)" }, "notes": [ { "category": "description", "text": "A flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commonly used by GNOME and other applications to handle web communications. The issue occurs when the library processes specially crafted multipart messages. Due to improper validation, an internal calculation can go wrong, leading to an integer underflow. This can cause the program to access invalid memory and crash. As a result, any application or server using libsoup could be forced to exit unexpectedly, creating a denial-of-service (DoS) risk.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-4948" } ], "release_date": "2025-05-19T00:00:00Z", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-32049", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "description", "text": "A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service (DoS).", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-32049" } ], "release_date": "2025-04-03T00:00:00Z", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.i686", "CentOS-7:libsoup-devel-0:2.62.2-2.0.5.el7.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }