SUSE-SU-2026:20649-1

This update for libsoup fixes the following issues:

• CVE-2025-32049: denial of service attack to websocket server (bsc#1240751).
• CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests (bsc#1257398).
• CVE-2026-1536: HTTP header injection or response splitting via CRLF injection in the Content-Disposition header (bsc#1257440).
• CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects (bsc#1257441).
• CVE-2026-1760: improper handling of HTTP requests combining certain headers by SoupServer can lead to HTTP request smuggling and potential DoS (bsc#1257597).
• CVE-2026-1761: incorrect length calculation when parsing of multipart HTTP responses can lead to a stack-based buffer overflow (bsc#1257598).
• CVE-2026-2369: buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).
• CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information disclosure to remote attackers (bsc#1258170).
• CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).