Source: libsoup3 Version: 3.6.5-7 Severity: important Tags: security upstream Forwarded: https://gitlab.gnome.org/GNOME/libsoup/-/issues/488 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libsoup3. CVE-2026-1467[0]: | A flaw was found in libsoup, an HTTP client library. This | vulnerability, known as CRLF (Carriage Return Line Feed) Injection, | occurs when an HTTP proxy is configured and the library improperly | handles URL-decoded input used to create the Host header. A remote | attacker can exploit this by providing a specially crafted URL | containing CRLF sequences, allowing them to inject additional HTTP | headers or complete HTTP request bodies. This can lead to unintended | or unauthorized HTTP requests being forwarded by the proxy, | potentially impacting downstream services. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-1467 https://www.cve.org/CVERecord?id=CVE-2026-1467 [1] https://gitlab.gnome.org/GNOME/libsoup/-/issues/488 [2] https://gitlab.gnome.org/GNOME/libsoup/-/commit/167ef0c6817658c1a089c75c462482209e207db4 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
