Accepting request 1326753 from GNOME:Factory

- Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for
  websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494).
- Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum
  (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493). (forwarded request 1326672 from AZhou)

OBS-URL: https://build.opensuse.org/request/show/1326753
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsoup?expand=0&rev=162

libsoup-CVE-2025-11021.patch

@@ -0,0 +1,49 @@
+diff --unified --recursive --text --new-file --color libsoup-3.6.5/libsoup/cookies/soup-cookie.c libsoup-3.6.5.new/libsoup/cookies/soup-cookie.c
+--- libsoup-3.6.5/libsoup/cookies/soup-cookie.c	2025-03-22 02:30:16.000000000 +0800
++++ libsoup-3.6.5.new/libsoup/cookies/soup-cookie.c	2025-10-16 11:11:23.233860890 +0800
+@@ -758,12 +758,13 @@
+ 
+ 	if (cookie->expires) {
+ 		char *timestamp;
+-
+-		g_string_append (header, "; expires=");
+ 		timestamp = soup_date_time_to_string (cookie->expires,
+ 						      SOUP_DATE_COOKIE);
+-		g_string_append (header, timestamp);
+-		g_free (timestamp);
++                if (timestamp) {
++                        g_string_append (header, "; expires=");
++                        g_string_append (header, timestamp);
++                        g_free (timestamp);
++                }
+ 	}
+ 	if (cookie->path) {
+ 		g_string_append (header, "; path=");
+diff --unified --recursive --text --new-file --color libsoup-3.6.5/libsoup/server/soup-server.c libsoup-3.6.5.new/libsoup/server/soup-server.c
+--- libsoup-3.6.5/libsoup/server/soup-server.c	2025-03-22 02:30:16.000000000 +0800
++++ libsoup-3.6.5.new/libsoup/server/soup-server.c	2025-10-16 11:12:03.270673884 +0800
+@@ -852,6 +852,11 @@
+ 
+ 	date = g_date_time_new_now_utc ();
+ 	date_string = soup_date_time_to_string (date, SOUP_DATE_HTTP);
++	if (!date_string) {
++		g_date_time_unref (date);
++		return;
++	}
++
+ 	soup_message_headers_replace_common (headers, SOUP_HEADER_DATE, date_string);
+ 	g_free (date_string);
+ 	g_date_time_unref (date);
+diff --unified --recursive --text --new-file --color libsoup-3.6.5/libsoup/soup-date-utils.c libsoup-3.6.5.new/libsoup/soup-date-utils.c
+--- libsoup-3.6.5/libsoup/soup-date-utils.c	2025-03-22 02:30:16.000000000 +0800
++++ libsoup-3.6.5.new/libsoup/soup-date-utils.c	2025-10-16 11:11:23.234306968 +0800
+@@ -92,6 +92,9 @@
+ 		 * @date if it's non-UTC.
+ 		 */
+ 		GDateTime *utcdate = g_date_time_to_utc (date);
++                if (!utcdate)
++                        return NULL;
++
+                 char *date_format;
+                 char *formatted_date;
+ 

libsoup-CVE-2025-12105.patch

@@ -0,0 +1,30 @@
+From 9ba1243a24e442fa5ec44684617a4480027da960 Mon Sep 17 00:00:00 2001
+From: Eugene Mutavchi <Ievgen_Mutavchi@comcast.com>
+Date: Fri, 10 Oct 2025 16:24:27 +0000
+Subject: [PATCH] fix 'heap-use-after-free' caused by 'finishing' queue item
+ twice
+
+---
+ libsoup/soup-session.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
+index c5694d2c..4e6b478b 100644
+--- a/libsoup/soup-session.c
++++ b/libsoup/soup-session.c
+@@ -2894,8 +2894,10 @@ run_until_read_done (SoupMessage          *msg,
+ 		if (soup_message_io_in_progress (msg))
+ 			soup_message_io_finished (msg);
+ 		item->paused = FALSE;
+-		item->state = SOUP_MESSAGE_FINISHING;
+-		soup_session_process_queue_item (item->session, item, FALSE);
++		if (item->state != SOUP_MESSAGE_FINISHED) {
++			item->state = SOUP_MESSAGE_FINISHING;
++			soup_session_process_queue_item (item->session, item, FALSE);
++		}
+ 	}
+ 	async_send_request_return_result (item, NULL, error);
+         soup_message_queue_item_unref (item);
+-- 
+2.51.1
+

libsoup-CVE-2025-14523.patch

@@ -0,0 +1,656 @@
+diff --unified --recursive --text --new-file --color libsoup-3.6.5.old/libsoup/soup-headers.c libsoup-3.6.5/libsoup/soup-headers.c
+--- libsoup-3.6.5.old/libsoup/soup-headers.c	2025-03-22 02:30:16.000000000 +0800
++++ libsoup-3.6.5/libsoup/soup-headers.c	2026-01-08 13:16:08.435966870 +0800
+@@ -139,7 +139,8 @@
+ 		for (p = strchr (value, '\r'); p; p = strchr (p, '\r'))
+ 			*p = ' ';
+ 
+-		soup_message_headers_append_untrusted_data (dest, name, value);
++		if (!soup_message_headers_append_untrusted_data (dest, name, value))
++                        goto done;
+         }
+ 	success = TRUE;
+ 
+diff --unified --recursive --text --new-file --color libsoup-3.6.5.old/libsoup/soup-message-headers.c libsoup-3.6.5/libsoup/soup-message-headers.c
+--- libsoup-3.6.5.old/libsoup/soup-message-headers.c	2025-03-22 02:30:16.000000000 +0800
++++ libsoup-3.6.5/libsoup/soup-message-headers.c	2026-01-08 13:16:08.436303415 +0800
+@@ -273,12 +273,16 @@
+ 	soup_header_free_list (tokens);
+ }
+ 
+-void
++gboolean
+ soup_message_headers_append_common (SoupMessageHeaders *hdrs,
+                                     SoupHeaderName      name,
+                                     const char         *value)
+ {
+         SoupCommonHeader header;
++        if (name == SOUP_HEADER_HOST && soup_message_headers_get_one (hdrs, "Host")) {
++                g_warning ("Attempted to add duplicate Host header to a SoupMessageHeaders that already contains a Host header");
++                return FALSE;
++        }
+ 
+         if (!hdrs->common_headers)
+                 hdrs->common_headers = g_array_sized_new (FALSE, FALSE, sizeof (SoupCommonHeader), 6);
+@@ -290,33 +294,19 @@
+                 g_hash_table_remove (hdrs->common_concat, GUINT_TO_POINTER (header.name));
+ 
+         soup_message_headers_set (hdrs, name, value);
++        return TRUE;
+ }
+ 
+-/**
+- * soup_message_headers_append:
+- * @hdrs: a #SoupMessageHeaders
+- * @name: the header name to add
+- * @value: the new value of @name
+- *
+- * Appends a new header with name @name and value @value to @hdrs.
+- *
+- * (If there is an existing header with name @name, then this creates a second
+- * one, which is only allowed for list-valued headers; see also
+- * [method@MessageHeaders.replace].)
+- *
+- * The caller is expected to make sure that @name and @value are
+- * syntactically correct.
+- **/
+-void
+-soup_message_headers_append (SoupMessageHeaders *hdrs,
+-			     const char *name, const char *value)
++static gboolean
++soup_message_headers_append_internal (SoupMessageHeaders *hdrs,
++			              const char *name, const char *value)
+ {
+ 	SoupUncommonHeader header;
+         SoupHeaderName header_name;
+ 
+-	g_return_if_fail (hdrs);
+-	g_return_if_fail (name != NULL);
+-	g_return_if_fail (value != NULL);
++	g_return_val_if_fail (hdrs, FALSE);
++	g_return_val_if_fail (name != NULL, FALSE);
++	g_return_val_if_fail (value != NULL, FALSE);
+ 
+ 	/* Setting a syntactically invalid header name or value is
+ 	 * considered to be a programming error. However, it can also
+@@ -324,23 +314,22 @@
+ 	 * compiled with G_DISABLE_CHECKS.
+ 	 */
+ #ifndef G_DISABLE_CHECKS
+-	g_return_if_fail (*name && strpbrk (name, " \t\r\n:") == NULL);
+-	g_return_if_fail (strpbrk (value, "\r\n") == NULL);
++	g_return_val_if_fail (*name && strpbrk (name, " \t\r\n:") == NULL, FALSE);
++	g_return_val_if_fail (strpbrk (value, "\r\n") == NULL, FALSE);
+ #else
+ 	if (*name && strpbrk (name, " \t\r\n:")) {
+ 		g_warning ("soup_message_headers_append: Ignoring bad name '%s'", name);
+-		return;
++		return FALSE;
+ 	}
+ 	if (strpbrk (value, "\r\n")) {
+ 		g_warning ("soup_message_headers_append: Ignoring bad value '%s'", value);
+-		return;
++		return FALSE;
+ 	}
+ #endif
+ 
+         header_name = soup_header_name_from_string (name);
+         if (header_name != SOUP_HEADER_UNKNOWN) {
+-                soup_message_headers_append_common (hdrs, header_name, value);
+-                return;
++                return soup_message_headers_append_common (hdrs, header_name, value);
+         }
+ 
+         if (!hdrs->uncommon_headers)
+@@ -351,21 +340,48 @@
+ 	g_array_append_val (hdrs->uncommon_headers, header);
+ 	if (hdrs->uncommon_concat)
+ 		g_hash_table_remove (hdrs->uncommon_concat, header.name);
++        return TRUE;
++}
++
++/**
++ * soup_message_headers_append:
++ * @hdrs: a #SoupMessageHeaders
++ * @name: the header name to add
++ * @value: the new value of @name
++ *
++ * Appends a new header with name @name and value @value to @hdrs.
++ *
++ * (If there is an existing header with name @name, then this creates a second
++ * one, which is only allowed for list-valued headers; see also
++ * [method@MessageHeaders.replace].)
++ *
++ * The caller is expected to make sure that @name and @value are
++ * syntactically correct.
++ **/
++void
++soup_message_headers_append (SoupMessageHeaders *hdrs,
++			     const char *name, const char *value)
++{
++	soup_message_headers_append_internal (hdrs, name, value);
+ }
+ 
+ /*
+- * Appends a header value ensuring that it is valid UTF8.
++ * Appends a header value ensuring that it is valid UTF-8, and also checking the
++ * return value of soup_message_headers_append_internal() to report whether the
++ * headers are invalid for various other reasons.
+  */
+-void
++gboolean
+ soup_message_headers_append_untrusted_data (SoupMessageHeaders *hdrs,
+                                             const char         *name,
+                                             const char         *value)
+ {
+         char *safe_value = g_utf8_make_valid (value, -1);
+         char *safe_name = g_utf8_make_valid (name, -1);
+-        soup_message_headers_append (hdrs, safe_name, safe_value);
++        gboolean result = soup_message_headers_append_internal (hdrs, safe_name, safe_value);
++
+         g_free (safe_value);
+         g_free (safe_name);
++        return result;
+ }
+ 
+ void
+diff --unified --recursive --text --new-file --color libsoup-3.6.5.old/libsoup/soup-message-headers-private.h libsoup-3.6.5/libsoup/soup-message-headers-private.h
+--- libsoup-3.6.5.old/libsoup/soup-message-headers-private.h	2025-03-22 02:30:16.000000000 +0800
++++ libsoup-3.6.5/libsoup/soup-message-headers-private.h	2026-01-08 13:16:08.436117760 +0800
+@@ -10,10 +10,10 @@
+ 
+ G_BEGIN_DECLS
+ 
+-void        soup_message_headers_append_untrusted_data  (SoupMessageHeaders *hdrs,
++gboolean    soup_message_headers_append_untrusted_data  (SoupMessageHeaders *hdrs,
+                                                          const char         *name,
+                                                          const char         *value);
+-void        soup_message_headers_append_common          (SoupMessageHeaders *hdrs,
++gboolean    soup_message_headers_append_common          (SoupMessageHeaders *hdrs,
+                                                          SoupHeaderName      name,
+                                                          const char         *value);
+ const char *soup_message_headers_get_one_common         (SoupMessageHeaders *hdrs,
+diff --unified --recursive --text --new-file --color libsoup-3.6.5.old/tests/header-parsing-test.c libsoup-3.6.5/tests/header-parsing-test.c
+--- libsoup-3.6.5.old/tests/header-parsing-test.c	2025-03-22 02:30:16.000000000 +0800
++++ libsoup-3.6.5/tests/header-parsing-test.c	2026-01-08 13:18:31.071434112 +0800
+@@ -24,6 +24,7 @@
+ 	const char *method, *path;
+ 	SoupHTTPVersion version;
+ 	Header headers[10];
++	GLogLevelFlags log_flags;
+ } reqtests[] = {
+ 	/**********************/
+ 	/*** VALID REQUESTS ***/
+@@ -33,7 +34,7 @@
+ 	  "GET / HTTP/1.0\r\n", -1,
+ 	  SOUP_STATUS_OK,
+ 	  "GET", "/", SOUP_HTTP_1_0,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "Req w/ 1 header", NULL,
+@@ -42,7 +43,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Host", "example.com" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 1 header, no leading whitespace", NULL,
+@@ -51,7 +52,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Host", "example.com" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 1 header including trailing whitespace", NULL,
+@@ -60,7 +61,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Host", "example.com" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 1 header, wrapped", NULL,
+@@ -69,7 +70,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Foo", "bar baz" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 1 header, wrapped with additional whitespace", NULL,
+@@ -78,7 +79,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Foo", "bar baz" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 1 header, wrapped with tab", NULL,
+@@ -87,7 +88,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Foo", "bar baz" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 1 header, wrapped before value", NULL,
+@@ -96,7 +97,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Foo", "bar baz" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 1 header with empty value", NULL,
+@@ -105,7 +106,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Host", "" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 2 headers", NULL,
+@@ -115,7 +116,7 @@
+ 	  { { "Host", "example.com" },
+ 	    { "Connection", "close" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 3 headers", NULL,
+@@ -126,7 +127,7 @@
+ 	    { "Connection", "close" },
+ 	    { "Blah", "blah" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 3 headers, 1st wrapped", NULL,
+@@ -137,7 +138,7 @@
+             { "Foo", "bar baz" },
+ 	    { "Blah", "blah" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 3 headers, 2nd wrapped", NULL,
+@@ -148,7 +149,7 @@
+ 	    { "Blah", "blah" },
+ 	    { "Foo", "bar baz" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ 3 headers, 3rd wrapped", NULL,
+@@ -159,7 +160,7 @@
+ 	    { "Blah", "blah" },
+ 	    { "Foo", "bar baz" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ same header multiple times", NULL,
+@@ -168,7 +169,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Foo", "bar, baz, quux" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Connection header on HTTP/1.0 message", NULL,
+@@ -178,21 +179,21 @@
+ 	  { { "Connection", "Bar, Quux" },
+             { "Foo", "bar" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "GET with full URI", "667637",
+ 	  "GET http://example.com HTTP/1.1\r\n", -1,
+ 	  SOUP_STATUS_OK,
+ 	  "GET", "http://example.com", SOUP_HTTP_1_1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "GET with full URI in upper-case", "667637",
+ 	  "GET HTTP://example.com HTTP/1.1\r\n", -1,
+ 	  SOUP_STATUS_OK,
+ 	  "GET", "HTTP://example.com", SOUP_HTTP_1_1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	/* It's better for this to be passed through: this means a SoupServer
+@@ -202,7 +203,7 @@
+ 	  "GET AbOuT: HTTP/1.1\r\n", -1,
+ 	  SOUP_STATUS_OK,
+ 	  "GET", "AbOuT:", SOUP_HTTP_1_1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	/****************************/
+@@ -217,7 +218,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Host", "example.com" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	/* RFC 2616 section 3.1 says we MUST accept this */
+@@ -228,7 +229,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Host", "example.com" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	/* RFC 2616 section 19.3 says we SHOULD accept these */
+@@ -240,7 +241,7 @@
+ 	  { { "Host", "example.com" },
+ 	    { "Connection", "close" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "LF instead of CRLF after Request-Line", NULL,
+@@ -249,7 +250,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Host", "example.com" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Mixed CRLF/LF", "666316",
+@@ -261,7 +262,7 @@
+ 	    { "e", "f" },
+ 	    { "g", "h" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ incorrect whitespace in Request-Line", NULL,
+@@ -270,7 +271,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Host", "example.com" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Req w/ incorrect whitespace after Request-Line", "475169",
+@@ -279,7 +280,7 @@
+ 	  "GET", "/", SOUP_HTTP_1_1,
+ 	  { { "Host", "example.com" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	/* If the request/status line is parseable, then we
+@@ -293,7 +294,7 @@
+ 	  { { "Host", "example.com" },
+ 	    { "Bar", "two" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "First header line is continuation", "666316",
+@@ -303,7 +304,7 @@
+ 	  { { "Host", "example.com" },
+ 	    { "c", "d" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Zero-length header name", "666316",
+@@ -313,7 +314,7 @@
+ 	  { { "a", "b" },
+ 	    { "c", "d" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "CR in header name", "666316",
+@@ -323,7 +324,7 @@
+ 	  { { "a", "b" },
+ 	    { "c", "d" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "CR in header value", "666316",
+@@ -336,7 +337,7 @@
+ 	    { "s", "t" },		/* CR at end is ignored */
+ 	    { "c", "d" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Tab in header name", "666316",
+@@ -351,7 +352,7 @@
+ 	    { "p", "q z: w" },
+ 	    { "c", "d" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	{ "Tab in header value", "666316",
+@@ -364,7 +365,7 @@
+ 	    { "z", "w" },	/* trailing tab ignored */
+ 	    { "c", "d" },
+ 	    { NULL }
+-	  }
++	  }, 0
+ 	},
+ 
+ 	/************************/
+@@ -375,77 +376,77 @@
+ 	  "GET /\r\n", -1,
+ 	  SOUP_STATUS_BAD_REQUEST,
+ 	  NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "HTTP 1.2 request (no such thing)", NULL,
+ 	  "GET / HTTP/1.2\r\n", -1,
+ 	  SOUP_STATUS_HTTP_VERSION_NOT_SUPPORTED,
+ 	  NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "HTTP 2000 request (no such thing)", NULL,
+ 	  "GET / HTTP/2000.0\r\n", -1,
+ 	  SOUP_STATUS_HTTP_VERSION_NOT_SUPPORTED,
+ 	  NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+ 	  unterminated_http_version, sizeof (unterminated_http_version),
+ 	  SOUP_STATUS_BAD_REQUEST,
+            NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "Non-HTTP request", NULL,
+ 	  "GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
+ 	  SOUP_STATUS_BAD_REQUEST,
+ 	  NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "Junk after Request-Line", NULL,
+ 	  "GET / HTTP/1.1 blah\r\nHost: example.com\r\n", -1,
+ 	  SOUP_STATUS_BAD_REQUEST,
+ 	  NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "NUL in Method", NULL,
+ 	  "G\x00T / HTTP/1.1\r\nHost: example.com\r\n", 37,
+ 	  SOUP_STATUS_BAD_REQUEST,
+ 	  NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "NUL at beginning of Method", "666316",
+ 	  "\x00 / HTTP/1.1\r\nHost: example.com\r\n", 35,
+ 	  SOUP_STATUS_BAD_REQUEST,
+ 	  NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "NUL in Path", NULL,
+ 	  "GET /\x00 HTTP/1.1\r\nHost: example.com\r\n", 38,
+ 	  SOUP_STATUS_BAD_REQUEST,
+ 	  NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "No terminating CRLF", NULL,
+ 	  "GET / HTTP/1.1\r\nHost: example.com", -1,
+ 	  SOUP_STATUS_BAD_REQUEST,
+ 	  NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "Unrecognized expectation", NULL,
+ 	  "GET / HTTP/1.1\r\nHost: example.com\r\nExpect: the-impossible\r\n", -1,
+ 	  SOUP_STATUS_EXPECTATION_FAILED,
+ 	  NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	// https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+@@ -453,22 +454,32 @@
+ 	  "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+ 	  SOUP_STATUS_BAD_REQUEST,
+ 	  NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "NUL in header value", NULL,
+ 	  "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ 	  SOUP_STATUS_BAD_REQUEST,
+            NULL, NULL, -1,
+-	  { { NULL } }
++	  { { NULL } }, 0
+ 	},
+ 
+ 	{ "Only newlines", NULL,
+ 	  only_newlines, sizeof (only_newlines),
+ 	  SOUP_STATUS_BAD_REQUEST,
+            NULL, NULL, -1,
+-	  { { NULL } }
+-	}
++           { { NULL } }, 0
++	},
++
++	{ "Duplicate Host headers",
++	  "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
++	  "GET / HTTP/1.1\r\nHost: example.com\r\nHost: example.org\r\n",
++	  -1,
++	  SOUP_STATUS_BAD_REQUEST,
++	  NULL, NULL, -1,
++	  { { NULL } },
++	  G_LOG_LEVEL_WARNING
++        }
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+ 
+@@ -915,10 +926,17 @@
+ 			len = strlen (reqtests[i].request);
+ 		else
+ 			len = reqtests[i].length;
++
++		if (reqtests[i].log_flags)
++			g_test_expect_message ("libsoup", reqtests[i].log_flags, "*");
++
+ 		status = soup_headers_parse_request (reqtests[i].request, len,
+ 						     headers, &method, &path,
+ 						     &version);
+ 		g_assert_cmpint (status, ==, reqtests[i].status);
++		if (reqtests[i].log_flags)
++			g_test_assert_expected_messages ();
++
+ 		if (SOUP_STATUS_IS_SUCCESSFUL (status)) {
+ 			g_assert_cmpstr (method, ==, reqtests[i].method);
+ 			g_assert_cmpstr (path, ==, reqtests[i].path);
+@@ -1314,6 +1332,25 @@
+ 	soup_message_headers_unref (hdrs);
+ }
+ 
++static void
++do_append_duplicate_host_test (void)
++{
++	SoupMessageHeaders *hdrs;
++	const char *list_value;
++
++	hdrs = soup_message_headers_new (SOUP_MESSAGE_HEADERS_REQUEST);
++	soup_message_headers_append (hdrs, "Host", "a");
++	g_test_expect_message ("libsoup", G_LOG_LEVEL_WARNING,
++		               "Attempted to add duplicate Host header to a SoupMessageHeaders that already contains a Host header");
++	soup_message_headers_append (hdrs, "Host", "b");
++	g_test_assert_expected_messages ();
++
++	list_value = soup_message_headers_get_list (hdrs, "Host");
++	g_assert_cmpstr (list_value, ==, "a");
++
++	soup_message_headers_unref (hdrs);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -1329,6 +1366,7 @@
+ 	g_test_add_func ("/header-parsing/content-type", do_content_type_tests);
+ 	g_test_add_func ("/header-parsing/append-param", do_append_param_tests);
+ 	g_test_add_func ("/header-parsing/bad", do_bad_header_tests);
++	g_test_add_func ("/header-parsing/append-duplicate-host", do_append_duplicate_host_test);
+ 
+ 	ret = g_test_run ();
+ 

libsoup-CVE-2025-4945.patch

@@ -0,0 +1,113 @@
+From 8988379984e33dcc7d3aa58551db13e48755959f Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Thu, 15 May 2025 07:59:14 +0200
+Subject: [PATCH] soup-date-utils: Add value checks for date/time parsing
+
+Reject date/time when it does not represent a valid value.
+
+Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/448
+---
+ libsoup/soup-date-utils.c | 23 +++++++++++++++--------
+ tests/cookies-test.c      | 10 ++++++++++
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c
+index fd785f50..34ca9950 100644
+--- a/libsoup/soup-date-utils.c
++++ b/libsoup/soup-date-utils.c
+@@ -129,7 +129,7 @@ parse_day (int *day, const char **date_string)
+ 	while (*end == ' ' || *end == '-')
+ 		end++;
+ 	*date_string = end;
+-	return TRUE;
++	return *day >= 1 && *day <= 31;
+ }
+ 
+ static inline gboolean
+@@ -169,7 +169,7 @@ parse_year (int *year, const char **date_string)
+ 	while (*end == ' ' || *end == '-')
+ 		end++;
+ 	*date_string = end;
+-	return TRUE;
++	return *year > 0 && *year < 9999;
+ }
+ 
+ static inline gboolean
+@@ -193,7 +193,7 @@ parse_time (int *hour, int *minute, int *second, const char **date_string)
+ 	while (*p == ' ')
+ 		p++;
+ 	*date_string = p;
+-	return TRUE;
++	return *hour >= 0 && *hour < 24 && *minute >= 0 && *minute < 60 && *second >= 0 && *second < 60;
+ }
+ 
+ static inline gboolean
+@@ -209,9 +209,14 @@ parse_timezone (GTimeZone **timezone, const char **date_string)
+ 		gulong val;
+ 		int sign = (**date_string == '+') ? 1 : -1;
+ 		val = strtoul (*date_string + 1, (char **)date_string, 10);
+-		if (**date_string == ':')
+-			val = 60 * val + strtoul (*date_string + 1, (char **)date_string, 10);
+-		else
++		if (val > 9999)
++			return FALSE;
++		if (**date_string == ':') {
++			gulong val2 = strtoul (*date_string + 1, (char **)date_string, 10);
++			if (val > 99 || val2 > 99)
++				return FALSE;
++			val = 60 * val + val2;
++		} else
+ 			val =  60 * (val / 100) + (val % 100);
+ 		offset_minutes = sign * val;
+                 utc = (sign == -1) && !val;
+@@ -264,7 +269,8 @@ parse_textual_date (const char *date_string)
+ 		if (!parse_month (&month, &date_string) ||
+ 		    !parse_day (&day, &date_string) ||
+ 		    !parse_time (&hour, &minute, &second, &date_string) ||
+-		    !parse_year (&year, &date_string))
++		    !parse_year (&year, &date_string) ||
++		    !g_date_valid_dmy (day, month, year))
+ 			return NULL;
+ 
+ 		/* There shouldn't be a timezone, but check anyway */
+@@ -276,7 +282,8 @@ parse_textual_date (const char *date_string)
+ 		if (!parse_day (&day, &date_string) ||
+ 		    !parse_month (&month, &date_string) ||
+ 		    !parse_year (&year, &date_string) ||
+-		    !parse_time (&hour, &minute, &second, &date_string))
++		    !parse_time (&hour, &minute, &second, &date_string) ||
++		    !g_date_valid_dmy (day, month, year))
+ 			return NULL;
+ 
+ 		/* This time there *should* be a timezone, but we
+diff --git a/tests/cookies-test.c b/tests/cookies-test.c
+index 1d2d4563..ff809a40 100644
+--- a/tests/cookies-test.c
++++ b/tests/cookies-test.c
+@@ -460,6 +460,15 @@ do_cookies_parsing_max_age_long_overflow (void)
+ 	soup_cookie_free (cookie);
+ }
+ 
++static void
++do_cookies_parsing_int32_overflow (void)
++{
++	SoupCookie *cookie = soup_cookie_parse ("Age=1;expires=3Mar9    999:9:9+ 999999999-age=main=gne=", NULL);
++	g_assert_nonnull (cookie);
++	g_assert_null (soup_cookie_get_expires (cookie));
++	soup_cookie_free (cookie);
++}
++
+ static void
+ do_cookies_equal_nullpath (void)
+ {
+@@ -718,6 +727,7 @@ main (int argc, char **argv)
+ 	g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin);
+ 	g_test_add_func ("/cookies/parsing/max-age-int32-overflow", do_cookies_parsing_max_age_int32_overflow);
+ 	g_test_add_func ("/cookies/parsing/max-age-long-overflow", do_cookies_parsing_max_age_long_overflow);
++	g_test_add_func ("/cookies/parsing/int32-overflow", do_cookies_parsing_int32_overflow);
+ 	g_test_add_func ("/cookies/parsing/equal-nullpath", do_cookies_equal_nullpath);
+ 	g_test_add_func ("/cookies/parsing/control-characters", do_cookies_parsing_control_characters);
+         g_test_add_func ("/cookies/parsing/name-value-max-size", do_cookies_parsing_name_value_max_size);
+-- 
+2.49.0
+

libsoup-CVE-2026-0716.patch

@@ -0,0 +1,108 @@
+From 149750d7350c1d25b00bdb8355ad58d3864f902b Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Sun, 11 Jan 2026 10:52:14 -0600
+Subject: [PATCH] websocket: Fix out-of-bounds read in process_frame
+
+If the maximum incoming payload size is unset, then a malicious frame could
+cause an overflow when calculating the needed amount of data, leading to an
+out-of-bounds read later.
+
+This is CVE-2026-0716.
+
+Closes #476
+---
+ libsoup/websocket/soup-websocket-connection.c |  8 +++-
+ tests/websocket-test.c                        | 44 +++++++++++++++++++
+ 2 files changed, 51 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
+index 30df9841..42867be3 100644
+--- a/libsoup/websocket/soup-websocket-connection.c
++++ b/libsoup/websocket/soup-websocket-connection.c
+@@ -1028,6 +1028,7 @@ process_frame (SoupWebsocketConnection *self)
+ 	guint8 opcode;
+ 	gsize len;
+ 	gsize at;
++	gsize required;
+ 	GBytes *filtered_bytes;
+ 	GList *l;
+ 	GError *error = NULL;
+@@ -1123,7 +1124,12 @@ process_frame (SoupWebsocketConnection *self)
+ 		payload += 4;
+ 		at += 4;
+ 
+-		if (len < at + payload_len)
++	if (!g_size_checked_add (&required, (gsize) at, (gsize) payload_len)) {
++		bad_data_error_and_close (self);
++		return FALSE;
++	}
++
++		if (len < required)
+ 			return FALSE; /* need more data */
+ 
+ 		xor_with_mask (mask, payload, payload_len);
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index 194b966a..e887091d 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -2215,6 +2215,41 @@ test_connection_error (void)
+ 	soup_test_session_abort_unref (session);
+ }
+ 
++static void
++test_cve_2026_0716 (Test *test,
++                    gconstpointer unused)
++{
++	GError *error = NULL;
++	GIOStream *io;
++	gsize written;
++	const char *frame;
++	gboolean close_event = FALSE;
++
++	g_signal_handlers_disconnect_by_func (test->server, on_error_not_reached, NULL);
++	g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
++	g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
++
++	io = soup_websocket_connection_get_io_stream (test->client);
++
++	soup_websocket_connection_set_max_incoming_payload_size (test->server, 0);
++
++	// Malicious masked frame header (10-byte header + 4-byte mask) */
++	frame = "\x82\xff\xff\xff\xff\xff\xff\xff\xff\xf6\xaa\xbb\xcc\xdd";
++	if (!g_output_stream_write_all (g_io_stream_get_output_stream (io),
++					frame, 14, &written, NULL, NULL))
++		g_assert_cmpstr ("This code", ==, "should not be reached");
++	g_assert_cmpuint (written, ==, 14);
++
++	WAIT_UNTIL (error != NULL);
++	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
++	g_clear_error (&error);
++
++	WAIT_UNTIL (soup_websocket_connection_get_state (test->client) == SOUP_WEBSOCKET_STATE_CLOSED);
++	g_assert_true (close_event);
++
++	g_assert_cmpuint (soup_websocket_connection_get_close_code (test->client), ==, SOUP_WEBSOCKET_CLOSE_BAD_DATA);
++}
++
+ int
+ main (int argc,
+       char *argv[])
+@@ -2465,6 +2500,15 @@ main (int argc,
+ 
+ 	g_test_add_func ("/websocket/soup/connection-error", test_connection_error);
+ 
++	g_test_add ("/websocket/direct/cve-2026-0716", Test, NULL,
++		    setup_direct_connection,
++		    test_cve_2026_0716,
++		    teardown_direct_connection);
++	g_test_add ("/websocket/soup/cve-2026-0716", Test, NULL,
++		    setup_soup_connection,
++		    test_cve_2026_0716,
++		    teardown_soup_connection);
++
+ 	ret = g_test_run ();
+ 
+ 	test_cleanup ();
+-- 
+GitLab
+

libsoup-CVE-2026-0719.patch

@@ -0,0 +1,152 @@
+From c8f4979ebf1a701e2222661556b3e735b99b3341 Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Thu, 8 Jan 2026 16:19:37 -0600
+Subject: [PATCH] soup-auth-ntlm: Use unsigned ints for byte counts in md4sum
+
+Otherwise, the variables could overflow if the password is long enough,
+leading to an out-of-bounds memory access.
+
+This is CVE-2026-0719.
+
+Closes #477.
+---
+ libsoup/auth/soup-auth-ntlm.c | 13 ++++---
+ tests/ntlm-test.c             | 64 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 72 insertions(+), 5 deletions(-)
+
+diff --git a/libsoup/auth/soup-auth-ntlm.c b/libsoup/auth/soup-auth-ntlm.c
+index 7108a32c3..ef26ff40a 100644
+--- a/libsoup/auth/soup-auth-ntlm.c
++++ b/libsoup/auth/soup-auth-ntlm.c
+@@ -604,7 +604,7 @@ soup_auth_ntlm_class_init (SoupAuthNTLMClass *auth_ntlm_class)
+ }
+ 
+ static void md4sum                (const unsigned char *in, 
+-				   int                  nbytes, 
++				   size_t               nbytes, 
+ 				   unsigned char        digest[16]);
+ 
+ typedef guint32 DES_KS[16][2]; /* Single-key DES key schedule */
+@@ -650,7 +650,7 @@ soup_ntlm_nt_hash (const char *password, guchar hash[21])
+ {
+ 	unsigned char *buf, *p;
+ 
+-	p = buf = g_malloc (strlen (password) * 2);
++	p = buf = g_malloc_n (strlen (password), 2);
+ 
+ 	while (*password) {
+ 		*p++ = *password++;
+@@ -1092,15 +1092,16 @@ calc_response (const guchar *key, const guchar *plaintext, guchar *results)
+ #define ROT(val, n) ( ((val) << (n)) | ((val) >> (32 - (n))) )
+ 
+ static void
+-md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
++md4sum (const unsigned char *in, size_t nbytes, unsigned char digest[16])
+ {
+ 	unsigned char *M;
+ 	guint32 A, B, C, D, AA, BB, CC, DD, X[16];
+-	int pbytes, nbits = nbytes * 8, i, j;
++	size_t pbytes, nbits = nbytes * 8;
++	int i, j;
+ 
+ 	/* There is *always* padding of at least one bit. */
+ 	pbytes = ((119 - (nbytes % 64)) % 64) + 1;
+-	M = alloca (nbytes + pbytes + 8);
++	M = g_malloc (nbytes + pbytes + 8);
+ 	memcpy (M, in, nbytes);
+ 	memset (M + nbytes, 0, pbytes + 8);
+ 	M[nbytes] = 0x80;
+@@ -1200,6 +1201,8 @@ md4sum (const unsigned char *in, int nbytes, unsigned char digest[16])
+ 	digest[13] = (D >>  8) & 0xFF;
+ 	digest[14] = (D >> 16) & 0xFF;
+ 	digest[15] = (D >> 24) & 0xFF;
++
++	g_free (M);
+ }
+ 
+ 
+diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
+index a92a21c8c..5080f8e61 100644
+--- a/tests/ntlm-test.c
++++ b/tests/ntlm-test.c
+@@ -714,6 +714,67 @@ do_retrying_test (TestServer *ts,
+ 	soup_test_session_abort_unref (session);
+ }
+ 
++static gboolean
++long_password_test_authenticate (SoupMessage *msg,
++			         SoupAuth    *auth,
++			         gboolean     retrying,
++			          gpointer user)
++{
++	size_t l = 2147483647;
++	char *password;
++	char tmp[10000];
++	size_t i;
++
++	password = (char *)g_malloc (l);
++
++	for (i = 0; i < 10000; i++) {
++		tmp[i] = 'A';
++	}
++	for (i = 0; i < l/10000; i++) {
++		memcpy (password + i * 10000, tmp, 10000);
++	}
++	memcpy (password + l - 1 - 10000, tmp, 10000);
++        
++	soup_auth_authenticate (auth, "alice", password);
++
++	g_free (password);
++	return TRUE;
++}
++
++static void
++do_long_password_test (TestServer *ts,
++		  gconstpointer data)
++{
++	SoupSession *session;
++	SoupMessage *msg;
++	GUri *uri;
++	GBytes *body;
++
++#ifndef __SANITIZE_ADDRESS__
++        g_test_skip ("Slow, allocates a large amount of memory, and needs asan");
++        return;
++#endif
++
++	session = soup_test_session_new (NULL);
++        soup_session_add_feature_by_type (session, SOUP_TYPE_AUTH_NTLM);
++        soup_session_set_proxy_resolver(session, NULL);
++
++	uri = g_uri_parse_relative (ts->uri, "/alice", SOUP_HTTP_URI_FLAGS, NULL);
++	msg = soup_message_new_from_uri ("GET", uri);
++	g_signal_connect (msg, "authenticate",
++			  G_CALLBACK (long_password_test_authenticate), NULL);
++	g_uri_unref (uri);
++
++	body = soup_session_send_and_read (session, msg, NULL, NULL);
++
++	soup_test_assert_message_status (msg, SOUP_STATUS_OK);
++
++	g_bytes_unref (body);
++	g_object_unref (msg);
++
++	soup_test_session_abort_unref (session);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -737,6 +798,9 @@ main (int argc, char **argv)
+ 	g_test_add ("/ntlm/retry", TestServer, NULL,
+ 		    setup_server, do_retrying_test, teardown_server);
+ 
++	g_test_add ("/ntlm/long-password", TestServer, NULL,
++		    setup_server, do_long_password_test, teardown_server);
++
+ 	ret = g_test_run ();
+ 
+ 	test_cleanup ();
+-- 
+GitLab
+

libsoup.changes

@@ -1,3 +1,50 @@
+-------------------------------------------------------------------
+Mon Jan 12 02:48:06 UTC 2026 - Alynx Zhou <alynx.zhou@suse.com>
+
+- Add libsoup-CVE-2026-0716.patch: Fix out-of-bounds read for
+  websocket (bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494).
+
+-------------------------------------------------------------------
+Fri Jan  9 02:37:48 UTC 2026 - Alynx Zhou <alynx.zhou@suse.com>
+
+- Add libsoup-CVE-2026-0719.patch: Fix overflow for password md4sum
+  (bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493).
+
+-------------------------------------------------------------------
+Thu Jan  8 05:12:46 UTC 2026 - Alynx Zhou <alynx.zhou@suse.com>
+
+- Add libsoup-CVE-2025-14523.patch: Reject duplicated Host in
+  headers (bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491).
+
+-------------------------------------------------------------------
+Tue Nov 18 19:58:09 UTC 2025 - Michael Gorse <mgorse@suse.com>
+
+- Add libsoup-CVE-2025-12105.patch: fix use after free caused by
+  'finishing' queue item twice (bsc#1252555 CVE-2025-12105
+  glgo#GNOME/libsoup!481).
+- Add i586 to the list of architectures where we re-run tests;
+  hsts-db-test is timing out there as well.
+
+-------------------------------------------------------------------
+Thu Oct 16 03:25:37 UTC 2025 - Alynx Zhou <alynx.zhou@suse.com>
+
+- Update libsoup-CVE-2025-11021.patch: Add NULL check for
+  soup_date_time_to_string() (bsc#1250562, CVE-2025-11021,
+  glgo#GNOME/libsoup!483).
+
+-------------------------------------------------------------------
+Sat Oct 11 08:15:04 UTC 2025 - Alynx Zhou <alynx.zhou@suse.com>
+
+- Add libsoup-CVE-2025-11021.patch: Ignore invalid date when
+  processing cookies to prevent out-of-bounds read (bsc#1250562,
+  CVE-2025-11021, glgo#GNOME/libsoup!482).
+
+-------------------------------------------------------------------
+Wed Jun 18 14:56:51 UTC 2025 - Michael Gorse <mgorse@suse.com>
+
+- Add libsoup-CVE-2025-4945.patch: add value checks for date/time
+  parsing (boo#1243314 CVE-2025-4945).
+
 -------------------------------------------------------------------
 Wed May 28 15:42:56 UTC 2025 - Michael Gorse <mgorse@suse.com>
 

libsoup.spec

@@ -1,7 +1,8 @@
 #
 # spec file for package libsoup
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -38,6 +39,18 @@ Patch3:         libsoup-CVE-2025-4476.patch
 Patch4:         libsoup-CVE-2025-4948.patch
 # PATCH-FIX-UPSTREAM libsoup-CVE-2025-4969.patch boo#1243423 mgorse@suse.com -- soup-multipart: Verify array bounds before accessing its members.
 Patch5:         libsoup-CVE-2025-4969.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2025-4945.patch boo#1243314 mgorse@suse.com -- add value checks for date/time parsing.
+Patch6:         libsoup-CVE-2025-4945.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2025-11021.patch bsc#1250562, CVE-2025-11021, glgo#GNOME/libsoup!482 alynx.zhou@suse.com -- Ignore invalid date when processing cookie
+Patch7:         libsoup-CVE-2025-11021.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2025-12105.patch bsc#1252555 mgorse@suse.com -- fix use after free caused by 'finishing' queued item twice.
+Patch8:         libsoup-CVE-2025-12105.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2025-14523.patch bsc#1254876, CVE-2025-14523, glgo#GNOME/libsoup!491 alynx.zhou@suse.com -- Reject duplicated Host in headers
+Patch9:         libsoup-CVE-2025-14523.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2026-0719.patch bsc#1256399, CVE-2026-0719, glgo#GNOME/libsoup!493 alynx.zhou@suse.com -- Fix overflow for password md4sum
+Patch10:        libsoup-CVE-2026-0719.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2026-0716.patch bsc#1256418, CVE-2026-0716, glgo#GNOME/libsoup!494 alynx.zhou@suse.com -- Fix out-of-bounds read for websocket
+Patch11:        libsoup-CVE-2026-0716.patch
 
 BuildRequires:  glib-networking
 BuildRequires:  meson >= 0.53
@@ -151,7 +164,7 @@ mv %{buildroot}%{_datadir}/doc/%{name}-%{api_version} %{buildroot}%{_docdir}
 %check
 # Run the regression tests using GnuTLS NORMAL priority
 export G_TLS_GNUTLS_PRIORITY=NORMAL
-%ifarch s390x ppc64le
+%ifarch s390x ppc64le i586
 %meson_test -t 5 || (%meson_test -t 5)
 %else
 %meson_test