Your message dated Sun, 21 Dec 2025 12:33:57 +0000
with message-id <[email protected]>
and subject line Bug#1121415: fixed in libcoap3 4.3.5-2
has caused the Debian Bug report #1121415,
regarding libcoap3: CVE-2025-65493 CVE-2025-65494 CVE-2025-65495 CVE-2025-65496
CVE-2025-65497 CVE-2025-65498 CVE-2025-65499 CVE-2025-65500 CVE-2025-65501
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121415: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121415
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libcoap3
Version: 4.3.5-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/obgm/libcoap/pull/1750
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for libcoap3.
CVE-2025-65493[0]:
| NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5
| allows remote attackers to cause a denial of service via a crafted
| DTLS/TLS connection that triggers BIO_get_data() to return NULL.
CVE-2025-65494[1]:
| NULL pointer dereference in get_san_or_cn_from_cert() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted X.509 certificate that
| causes sk_GENERAL_NAME_value() to return NULL.
CVE-2025-65495[2]:
| Integer signedness error in tls_verify_call_back() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted TLS certificate that causes
| i2d_X509() to return -1 and be misused as a malloc() size parameter.
CVE-2025-65496[3]:
| NULL pointer dereference in coap_dtls_generate_cookie() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted DTLS handshake that triggers
| SSL_get_SSL_CTX() to return NULL.
CVE-2025-65497[4]:
| NULL pointer dereference in coap_dtls_generate_cookie() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted DTLS handshake that triggers
| SSL_get_SSL_CTX() to return NULL.
CVE-2025-65498[5]:
| NULL pointer dereference in coap_dtls_generate_cookie() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted DTLS handshake that triggers
| SSL_get_SSL_CTX() to return NULL.
CVE-2025-65499[6]:
| Array index error in tls_verify_call_back() in src/coap_openssl.c in
| OISM libcoap 4.3.5 allows remote attackers to cause a denial of
| service via a crafted DTLS handshake that triggers
| SSL_get_ex_data_X509_STORE_CTX_idx() to return -1.
CVE-2025-65500[7]:
| NULL pointer dereference in coap_dtls_generate_cookie() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted DTLS handshake that triggers
| SSL_get_SSL_CTX() to return NULL.
CVE-2025-65501[8]:
| Null pointer dereference in coap_dtls_info_callback() in OISM
| libcoap 4.3.5 allows remote attackers to cause a denial of service
| via a DTLS handshake where SSL_get_app_data() returns NULL.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-65493
https://www.cve.org/CVERecord?id=CVE-2025-65493
[1] https://security-tracker.debian.org/tracker/CVE-2025-65494
https://www.cve.org/CVERecord?id=CVE-2025-65494
[2] https://security-tracker.debian.org/tracker/CVE-2025-65495
https://www.cve.org/CVERecord?id=CVE-2025-65495
[3] https://security-tracker.debian.org/tracker/CVE-2025-65496
https://www.cve.org/CVERecord?id=CVE-2025-65496
[4] https://security-tracker.debian.org/tracker/CVE-2025-65497
https://www.cve.org/CVERecord?id=CVE-2025-65497
[5] https://security-tracker.debian.org/tracker/CVE-2025-65498
https://www.cve.org/CVERecord?id=CVE-2025-65498
[6] https://security-tracker.debian.org/tracker/CVE-2025-65499
https://www.cve.org/CVERecord?id=CVE-2025-65499
[7] https://security-tracker.debian.org/tracker/CVE-2025-65500
https://www.cve.org/CVERecord?id=CVE-2025-65500
[8] https://security-tracker.debian.org/tracker/CVE-2025-65501
https://www.cve.org/CVERecord?id=CVE-2025-65501
[9] https://github.com/obgm/libcoap/pull/1750
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libcoap3
Source-Version: 4.3.5-2
Done: Thorsten Alteholz <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libcoap3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated libcoap3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 21 Dec 2025 10:23:22 +0100
Source: libcoap3
Architecture: source
Version: 4.3.5-2
Distribution: unstable
Urgency: medium
Maintainer: Debian IoT Maintainers
<[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Closes: 1121415 1122290 1122433
Changes:
libcoap3 (4.3.5-2) unstable; urgency=medium
.
* add fonts-urw-base35 as dependency
(to install the missing URW Type 1 fonts, Closes: #1122433)
* add spelling.patch
* CVE-2025-59391 (Closes: #1122290)
fix OSCORE configuration file parsing issue
* CVE-2025-65493 (Closes: 1121415)
fix NULL pointer dereference
* CVE-2025-65494
fix NULL pointer dereference
* CVE-2025-65495
fix integer signedness
* CVE-2025-65496
fix NULL pointer dereference
* CVE-2025-65497
fix NULL pointer dereference
* CVE-2025-65498
fix NULL pointer dereference
* CVE-2025-65499
fix array index error
* CVE-2025-65500
fix NULL pointer dereference
* CVE-2025-65501
fix NULL pointer dereference
Checksums-Sha1:
37df3d0b137a36694302c21ef97f4cca873f18f1 2394 libcoap3_4.3.5-2.dsc
4f652109f730eb7494c0880fecd46b049fdabb47 588595 libcoap3_4.3.5.orig.tar.bz2
fb8043b167d1802d0b9c3d7a1d85ad890490127b 13064 libcoap3_4.3.5-2.debian.tar.xz
f57ce0d28eec371f130a4e6ce5d600d7fa0b82fa 11005 libcoap3_4.3.5-2_amd64.buildinfo
Checksums-Sha256:
fa7ef88cd5535cb128ab8fc4146f4773e8f65ac4f43e1a2d78f6b83a38692552 2394
libcoap3_4.3.5-2.dsc
a332b682ceacef4c3130b2fb17851db02020c3f64b8a562c1ffd8d9b8a9320d4 588595
libcoap3_4.3.5.orig.tar.bz2
e9055ead5a0560a9aa9ed55f27cc2a4abfbf93c23588f6e951401e01ee1d2a64 13064
libcoap3_4.3.5-2.debian.tar.xz
7ae1aeb4f4853dfa14b6957ef3537fbacb75977d69a2cb8c56630fb1eeac9a06 11005
libcoap3_4.3.5-2_amd64.buildinfo
Files:
86c14039f608e00c78a5b6f9f251dd4e 2394 libs optional libcoap3_4.3.5-2.dsc
86c5364cd4c5a7d7eb94e560ec777969 588595 libs optional
libcoap3_4.3.5.orig.tar.bz2
39a6701735ce8d3535fd3f1d712a1fae 13064 libs optional
libcoap3_4.3.5-2.debian.tar.xz
2f90d41c249978b7ca9835db8a35808d 11005 libs optional
libcoap3_4.3.5-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmlH5DZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYRzGnEADFyQKwhEf/VcXBcWf/fSQTu5hI1Cro
aeairAgzMMBO8bzRjszTUSVWGOgafHJSjpyZ9YrJuvlNwk85HjAlw4kc/WUARWNL
Z+mvptR4yx4lDAwGRRevWNM/p6+a7A6UrVab2E65PgbxD91oWjDmc/j5+aJ7fwUW
Vc7d6N5cWJ7UMMXkcwGatzPTc5qXfhZatklMeh7rUpwC6ZimiwKZJbpxR/EOPXcV
bq4ApYw4tM9vAu2vUSQ69lfQoKSh3667oTmtbTYxWmBWES67xY9Xw3yR8/a1PDbc
yrvii7VyXBKBXPxgFii2eEmzHsyS0UM//o6nh+l2QFqW+W0Pkb8IGcd6hyL0X+BY
sKpHKsHxdfNAbk+xxy/Ccx4QqRYsW35JTFAf2WYUFyvueOw8E+RyVGcmQTkoIbZk
VRmEtJmnuTqStd1tVux0PalFZGFZC51rZ49Muw1gLpfBx0gvF1lZ2c6KPPT198uQ
O4bKzQZKuS8+NZbsaTQDoXETvQ3VswpBdSd9kpwVXgtI51yUibrUZRtybTesxv/+
0+9LYYrgzXrLjxo0t1HBCpLtzArp8egcp4fVn0I8vPTQZgrsa4gcLHI7/iKbWnLJ
oG5sw1QK4avZotUDbZYAaZq6Dz/nlmbcMDlJ7jdCpm9ynKYzlNlqTp/yAS9A6ErX
B9ASvRmiheqSDg==
=luqk
-----END PGP SIGNATURE-----
pgpDzAn869N5r.pgp
Description: PGP signature
--- End Message ---
