Your message dated Mon, 27 Oct 2025 20:36:24 +0000
with message-id <[email protected]>
and subject line Bug#1118747: fixed in libwebsockets 4.3.5-3
has caused the Debian Bug report #1118747,
regarding libwebsockets: CVE-2025-11677
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118747
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libwebsockets
Version: 4.3.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libwebsockets.
CVE-2025-11677[0]:
| Use After Free in WebSocket server implementation in
| lws_handshake_server in warmcat libwebsockets may allow an attacker,
| in specific configurations where the user provides a callback
| function that handles LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, to achieve
| denial of service.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-11677
https://www.cve.org/CVERecord?id=CVE-2025-11677
[1]
https://libwebsockets.org/git/libwebsockets/commit?id=2f082ec31261f556969160143ba94875d783971a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libwebsockets
Source-Version: 4.3.5-3
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libwebsockets, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated libwebsockets
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 27 Oct 2025 18:31:12 +0100
Source: libwebsockets
Architecture: source
Version: 4.3.5-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1118746 1118747
Changes:
libwebsockets (4.3.5-3) unstable; urgency=high
.
* Backport upstream security fix for CVE-2025-11677: use after free in
lws_handshake_server() (closes: #1118747).
* Backport upstream security fix for CVE-2025-11678: stack-based buffer
overflow in lws_adns_parse_label() (closes: #1118746).
Checksums-Sha1:
100d01530957595ce933368b3c1c470eeff3dca1 2572 libwebsockets_4.3.5-3.dsc
9f08943916f369bdba3ab6f74102bdd41d56a352 22584
libwebsockets_4.3.5-3.debian.tar.xz
Checksums-Sha256:
1664627384d69cd1a8aee21fac332e736229d0666496e52690cf35474cd940b5 2572
libwebsockets_4.3.5-3.dsc
beb50bd662ada04b594d623cfc24d9c57f0f05a1b5e8cb63c9c7f47d7797f333 22584
libwebsockets_4.3.5-3.debian.tar.xz
Files:
e8abed5fb54b7d1561e132d34aa43e7a 2572 libs optional libwebsockets_4.3.5-3.dsc
3ad74f640f18d8bb93ddf0782b2b12a2 22584 libs optional
libwebsockets_4.3.5-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIyBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmj/zTcACgkQ3OMQ54ZM
yL8TAA/4oHC9dKbXenHof91YeqmLag4asyPyMGihF9c4IFf+MUYmmJ7394v2eW8c
+I8OaBo0BmtEEMHcQTy7WTwvAY04SucH69bmoyJT6KT3atFOU7XGMrrounsedsXG
VQDZWFYqp1LrsSGKQ+SP/2VVROOOk6+VDmnNuFnb05fZJzHLo3g5GiQRZv1h/Sqr
P5PiHQ4hSxhaXeXTArp9CBfp47r8ZmZic1JlBCK8PXuCVnYf7A7Ac+D3IbeO0yME
8JfOutBg/GekUpNjBZw0FTBcGWJKmtd9Vze/FwC/QI+j+41/y//7fMzdM8q6CLC8
G49YEtVzAk/Gy7W6H12CVbXrloD1xgWwjCv+4ix5toyhGAz5t22L2xajEOJ3o7+5
d0tddIRt6qAfcl45oW0X294L7kh/D0g+PVuYSWMwAg/SFg/FCzR+tk1Gh+hvgotu
WygFm0Mpl3MdVIarb5S49ah+jmf/PyE0GWk9e8cPNEti5okGNpC/tst524or+Y+h
Cjyi5HxzUk4a6qJf2ag9d5YHv5WDHxMXX4J8QRSueADE3/55s4DdOrki+D+OSN38
NIDsJSl1RNQUW2BsLxzy73tmhAPDMo9gPvEhtbC84pVCuHoTdfCGBG+cQkoctJV2
G9gG2LrFa/NSSVqW20LIMQldMTs7+X9jczrsFitZA4p8exr37g==
=tg4Z
-----END PGP SIGNATURE-----
pgpY8s0Jk1uwl.pgp
Description: PGP signature
--- End Message ---
