SUSE-SU-2026:20752-1

This update for libsoup fixes the following issues:

Update to libsoup 3.6.6:

• CVE-2025-12105: heap use-after-free in message queue handling during HTTP/2 read completion (bsc#1252555).
• CVE-2025-14523: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (bsc#1254876).
• CVE-2025-32049: Denial of Service attack to websocket server (bsc#1240751).
• CVE-2026-1467: lack of input sanitization can lead to unintended or unauthorized HTTP requests (bsc#1257398).
• CVE-2026-1539: proxy authentication credentials leaked via the Proxy-Authorization header when handling HTTP redirects (bsc#1257441).
• CVE-2026-1760: improper handling of HTTP requests combining certain headers by SoupServer can lead to HTTP request smuggling and potential DoS (bsc#1257597).
• CVE-2026-2369: Buffer overread due to integer underflow when handling zero-length resources (bsc#1258120).
• CVE-2026-2443: out-of-bounds read when processing specially crafted HTTP Range headers can lead to heap information disclosure to remote attackers (bsc#1258170).
• CVE-2026-2708: HTTP request smuggling via duplicate Content-Length headers (bsc#1258508).

Changelog:

• websocket: Fix out-of-bounds read in process_frame
• Check nulls returned by soupdatetimenewfromhttpstring()
• Numerous fixes to handling of Range headers
• server: close the connection after responsing a request containing Content-Length and Transfer-Encoding
• Use CRLF as line boundary when parsing chunked enconding data
• websocket: do not accept messages frames after closing due to an error
• Sanitize filename of content disposition header values
• Always validate the headers value when coming from untrusted source
• uri-utils: do host validation when checking if a GUri is valid
• multipart: check length of bytes read soupfilterinputstreamread_until()
• message-headers: Reject duplicate Host headers
• server: null-check soupdatetimetostring()
• auth-digest: fix crash in soupauthdigestgetprotection_space()
• session: fix 'heap-use-after-free' caused by 'finishing' queue item twice
• cookies: Avoid expires attribute if date is invalid
• http1: Set EOF flag once content-length bytes have been read
• date-utils: Add value checks for date/time parsing
• multipart: Fix multiple boundry limits
• Fixed multiple possible memory leaks
• message-headers: Correct merge of ranges
• body-input-stream: Correct chunked trailers end detection
• server-http2: Correctly validate URIs
• multipart: Fix read out of buffer bounds under soupmultipartnewfrommessage()
• headers: Ensure Request-Line comprises entire first line
• tests: Fix MSVC build error
• Fix possible deadlock on init from gmodule usage
• Updated translations.