Your message dated Thu, 06 Nov 2025 19:32:10 +0000
with message-id <[email protected]>
and subject line Bug#1118746: fixed in libwebsockets 4.3.5-1+deb13u1
has caused the Debian Bug report #1118746,
regarding libwebsockets: CVE-2025-11678
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118746: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118746
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libwebsockets
Version: 4.3.5-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 4.3.5-1
Hi,
The following vulnerability was published for libwebsockets.
CVE-2025-11678[0]:
| Stack-based Buffer Overflow in lws_adns_parse_label in warmcat
| libwebsockets allows, when the LWS_WITH_SYS_ASYNC_DNS flag is
| enabled during compilation, to overflow the label_stack, when the
| attacker is able to sniff a DNS request in order to craft a response
| with a matching id containing a label longer than the maximum.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-11678
https://www.cve.org/CVERecord?id=CVE-2025-11678
[1]
https://libwebsockets.org/git/libwebsockets/commit?id=2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libwebsockets
Source-Version: 4.3.5-1+deb13u1
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libwebsockets, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated libwebsockets package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 04 Nov 2025 00:02:18 +0100
Source: libwebsockets
Architecture: source
Version: 4.3.5-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1118746 1118747
Changes:
libwebsockets (4.3.5-1+deb13u1) trixie; urgency=medium
.
* CVE-2025-11677 (Closes: #1118747)
* CVE-2025-11678 (Closes: #1118746)
Checksums-Sha1:
b8b4bce5a8dbe5b19c6c8b41e53360497e45becb 2604 libwebsockets_4.3.5-1+deb13u1.dsc
49dbaf5f2fb29ec94e7b114412fc4215d83aaab1 19832
libwebsockets_4.3.5-1+deb13u1.debian.tar.xz
92db0d06b33ac68fbfff65634dbcc1fa1d88950f 11976
libwebsockets_4.3.5-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
aa210daa6a124f1df6e2aaca1485415f029647a8149e1d13d14f89928fa735c2 2604
libwebsockets_4.3.5-1+deb13u1.dsc
1813e236e0848b26c9a8a3dc9820f5f9e6aa3abe8a9467f81327b84b402ebea7 19832
libwebsockets_4.3.5-1+deb13u1.debian.tar.xz
b932231273f85086185c4710ae383f54a15851da577d499c029182566ad5dc6d 11976
libwebsockets_4.3.5-1+deb13u1_amd64.buildinfo
Files:
6ebd7af0189ae27f108301ac97bd39cb 2604 libs optional
libwebsockets_4.3.5-1+deb13u1.dsc
052b761602c65f1aad4efb267583b8a3 19832 libs optional
libwebsockets_4.3.5-1+deb13u1.debian.tar.xz
4ea79347cd241cec11309344e82d3ef2 11976 libs optional
libwebsockets_4.3.5-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmkLo04ACgkQEMKTtsN8
TjZ/ug/+LiWmeklrAyCmgw8tPABjvkvloHnujWwCHBtUvZCqKE22zRTxVmIXJlir
98t9B9/tzjCr4QJoz7Zu8biIKwOYksFQNx6EvNHlBbqIKPFNHjUO6dRzlS6tdD5O
ce7FU0ASG2pfcqLVLB0OqHC4M/QMHSrQbpuWnPAiNFsxcHEwRtip3aeTH9nsH3ic
6tZtVOpiiudXJfEaPK9YSCVScmOmXzLu+UuKRYz2E9VcUMUwbA9uDJV6Y2YnyWLv
UvUpl4BO5zfsAUKHbiUWuEGxDLF0EHkVRGFqtKFd6IkM2F54we7gbxB38DDnslwh
bTA/MI9E4VFcA4kTQMn5V2gU8M0/wn0gzC6iLNHl6TBIz5ArIxevxxkDKLKibcK7
PSKIJlcDCRaPVouSSDcCQbqXpXrqjQb6taof2gViMfCzVBEssjxuBnEssqe2tQyK
dnFBBdSGm10GGW04tt/IiNS30UVy1wuJu0ChhhZ4Ka43P72ZbLmANF7ltBmQ4Q5o
xRcl2B3FUPHYprGuTiiz+TXiraA4LWS0GRuAOLlil2P0wtJ/9TGqyANOGbq6JLY2
7sI7QdjzaranLLbGROlQuAzg4piG0tDGC4TfLWY1BcKTIvyPb6nBclmtuZL33yRB
UmpVEVVdmg+2eUQyb377ZDueVxPMRHwNW5q3W3ghEvxJH7+XKrE=
=L2Ba
-----END PGP SIGNATURE-----
pgpqAIpei6lbR.pgp
Description: PGP signature
--- End Message ---
