🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026
Affected versions: Ubuntu 16.04

πŸ“– ~4 min read  β€’  Source: Ubuntu Security Notice USN-7643-1

Related CVEs: CVE-2025-4969 CVE-2025-32914 CVE-2025-4945 CVE-2025-32907 CVE-2025-4948 CVE-2025-32053 CVE-2024-52531 CVE-2025-32052  +12 more

Upstream summary: Jan RΓ³ΕΌaΕ„ski discovered that libsoup incorrectly handled range headers in
an HTTP request. An attacker could possibly use this issue to cause libsoup
to consume excessive memory, resulting in a denial of service.
(CVE-2025-32907)

Alon Zahavi discovered that libsoup incorrectly handled memory when parsing
HTTP requests. An attacker could possibly use this issue to send a
maliciously crafted HTTP request to the server, causing a denial of service
or obtaining sensitive informa

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On Ubuntu 16.04 hosts running libsoup2.4, administrators report behaviour consistent with Ubuntu Security Notice USN-7643-1: apt refusing to install or restart affected services, AppArmor denials in journalctl -k, and β€” for security-rated advisories β€” exposure to the vulnerability set above. In production estates the visible impact ranges from a single service restart to wider availability incidents whenever libsoup2.4 sits on the serving path.

Environment & Reproduction

Reproduction targets Ubuntu 16.04. Confirm release with lsb_release -a and cat /etc/os-release, and the currently installed package with dpkg -l libsoup2.4 and apt-cache policy libsoup2.4. Capture system state with sudo ubuntu-bug libsoup2.4 or sudo apport-collect for an evidence bundle. Trigger the workflow that exposes libsoup2.4 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide while collecting journalctl -b, /var/log/apt/history.log, and dpkg -l output.

Root Cause Analysis

Root cause is documented in Ubuntu Security Notice USN-7643-1. Canonical security maintainers shipped fixes in the corresponding libsoup2.4 update for Ubuntu 16.04; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate journalctl --since timestamps with apt history (/var/log/apt/history.log) and any AppArmor denials in /var/log/syslog to isolate the originating change.

Quick Triage

Quick triage: run systemctl status libsoup2.4, journalctl -u libsoup2.4 -n 200, sudo apt update && apt list --upgradable, sudo ufw status verbose, and sudo aa-status. If AppArmor is in enforce mode, capture journalctl -k | grep apparmor to surface denials linked to libsoup2.4 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide.

Step-by-Step Diagnosis

1) Confirm symptom with systemctl --failed. 2) Inspect logs: journalctl -xe and journalctl -u libsoup2.4. 3) Validate firewall: sudo ufw status numbered. 4) Check AppArmor: sudo aa-status and journalctl -k | grep apparmor. 5) Verify package integrity: dpkg -V libsoup2.4 and sudo apt install --reinstall libsoup2.4. 6) Correlate findings with apt list --installed libsoup2.4, /var/log/apt/history.log, and Ubuntu Security Notice USN-7643-1 to pin the change that introduced libsoup2.4 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide.

Solution – Primary Fix

Primary fix for libsoup2.4 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide: apply the corrective apt transaction described in Ubuntu Security Notice USN-7643-1, reload the affected systemd unit, and reconcile UFW / AppArmor state. Typical commands: sudo apt update, sudo apt -y install --only-upgrade libsoup2.4 or sudo unattended-upgrade -v, sudo systemctl daemon-reload, sudo systemctl restart libsoup2.4, then dpkg -l libsoup2.4 to validate the new build is installed. For kernel advisories add sudo reboot or apply Ubuntu Livepatch (canonical-livepatch status) where covered by your Ubuntu Pro subscription.

Need help rolling this patch across an Ubuntu fleet? Our IT Solutions & Services team manages Ubuntu patch windows with zero-downtime change controls and Ubuntu Pro / Landscape integration. Get in touch for a free consultation.

Solution – Alternative Approaches

Alternatives include pinning a known-good version via /etc/apt/preferences.d/libsoup2.4.pref with apt-mark hold libsoup2.4, rolling back with sudo apt install libsoup2.4=<old-version>, rotating UFW rules with sudo ufw reload, switching AppArmor profiles to complain mode (sudo aa-complain /etc/apparmor.d/usr.bin.libsoup2.4) to confirm policy is the cause before authoring a custom profile, or applying Canonical Livepatch fixes via canonical-livepatch refresh where Ubuntu Pro is subscribed.

Verification & Acceptance Criteria

Acceptance: dpkg -l libsoup2.4 shows the expected fixed version, systemctl is-active libsoup2.4 returns active, journalctl -u libsoup2.4 --since "5 minutes ago" shows no errors, apt list --upgradable no longer lists the advisory, sudo ufw status shows required services, sudo aa-status reports the intended profile mode, and the original reproduction steps for libsoup2.4 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide no longer trigger the failure across two consecutive runs.

Rollback Plan

Capture state with apt list --installed > /root/apt-pre.txt, dpkg --get-selections > /root/dpkg-pre.txt, and where available sudo zfs snapshot rpool/ROOT/ubuntu@pre-libsoup2-4 on ZFS-on-root installs. To revert, run sudo apt install --allow-downgrades libsoup2.4=<old-version> and reload systemctl daemon-reload. Remove custom AppArmor profiles with sudo apparmor_parser -R. Reboot if the kernel or initramfs changed and re-verify symptoms.

Prevention & Hardening

Prevent recurrence by enabling unattended-upgrades with Unattended-Upgrade::Allowed-Origins tuned to ${distro_id}:${distro_codename}-security, subscribing to the ubuntu-security-announce mailing list, mirroring through Landscape / a local apt-mirror for controlled rollouts, version-locking sensitive packages, and monitoring file integrity with aide --check. Apply CIS Ubuntu hardening, keep AppArmor in enforce, and enable Canonical Livepatch under Ubuntu Pro so kernel advisories can be remediated without reboot.

Related issues that commonly surface alongside libsoup2.4 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide: apt lock contention (dpkg --configure -a), systemd unit ordering cycles, AppArmor denials in journalctl -k, UFW zone drift, and kernel taint flags in cat /proc/sys/kernel/tainted. See sibling common-problem articles in this Ubuntu 16.04 series for adjacent failure modes.

View all ubuntu-16-04 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: Ubuntu Security Notice USN-7643-1. Supporting docs: Ubuntu Server Guide, man apt, man systemctl, man ufw, man aa-status, man apparmor, man journalctl, the Ubuntu CVE Tracker at ubuntu.com/security/cves, and Canonical Livepatch docs. Review /usr/share/doc/libsoup2.4/ for component-level notes implicated in libsoup2.4 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide.