ALAS2023-2025-961

Amazon Linux 2023 Security Advisory: ALAS2023-2025-961
Advisory Released Date: 2025-05-13
Advisory Updated Date: 2025-05-13

Severity: Important

References: CVE-2025-32907 CVE-2025-32908 CVE-2025-32914
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. (CVE-2025-32907)

A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service (DoS). (CVE-2025-32908)

A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds. (CVE-2025-32914)

Affected Packages:

libsoup3

Issue Correction:
Run dnf update libsoup3 --releasever 2023.7.20250512 to update your system.

New Packages:

aarch64:
    libsoup3-debuginfo-3.6.5-48.amzn2023.aarch64
    libsoup3-3.6.5-48.amzn2023.aarch64
    libsoup3-devel-3.6.5-48.amzn2023.aarch64
    libsoup3-debugsource-3.6.5-48.amzn2023.aarch64

noarch:
    libsoup3-doc-3.6.5-48.amzn2023.noarch

src:
    libsoup3-3.6.5-48.amzn2023.src

x86_64:
    libsoup3-debuginfo-3.6.5-48.amzn2023.x86_64
    libsoup3-debugsource-3.6.5-48.amzn2023.x86_64
    libsoup3-devel-3.6.5-48.amzn2023.x86_64
    libsoup3-3.6.5-48.amzn2023.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-32907, CVE-2025-32908, CVE-2025-32914

Mitre: CVE-2025-32907, CVE-2025-32908, CVE-2025-32914