Your message dated Sun, 01 Mar 2026 22:51:45 +0000
with message-id <[email protected]>
and subject line Bug#1129381: fixed in nats-server 2.12.4-1
has caused the Debian Bug report #1129381,
regarding nats-server: CVE-2026-27571
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129381: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129381
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nats-server
Version: 2.10.27-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for nats-server.
CVE-2026-27571[0]:
| NATS-Server is a High-Performance server for NATS.io, a cloud and
| edge native messaging system. The WebSockets handling of NATS
| messages handles compressed messages via the WebSockets negotiated
| compression. Prior to versions 2.11.2 and 2.12.3, the implementation
| bound the memory size of a NATS message but did not independently
| bound the memory consumption of the memory stream when constructing
| a NATS message which might then fail validation for size reasons. An
| attacker can use a compression bomb to cause excessive memory
| consumption, often resulting in the operating system terminating the
| server process. The use of compression is negotiated before
| authentication, so this does not require valid NATS credentials to
| exploit. The fix, present in versions 2.11.2 and 2.12.3, was to
| bounds the decompression to fail once the message was too large,
| instead of continuing on. The vulnerability only affects deployments
| which use WebSockets and which expose the network port to untrusted
| end-points.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27571
https://www.cve.org/CVERecord?id=CVE-2026-27571
[1]
https://github.com/nats-io/nats-server/security/advisories/GHSA-qrvq-68c2-7grw
[2]
https://github.com/nats-io/nats-server/commit/f77fb7c4535e6727cc1a2899cd8e6bbdd8ba2017
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nats-server
Source-Version: 2.12.4-1
Done: Mathias Gibbens <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nats-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathias Gibbens <[email protected]> (supplier of updated nats-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 01 Mar 2026 18:29:57 +0000
Source: nats-server
Architecture: source
Version: 2.12.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Mathias Gibbens <[email protected]>
Closes: 1129381
Changes:
nats-server (2.12.4-1) unstable; urgency=medium
.
* Team upload
* New upstream release
- Includes fix for CVE-2026-27571 (Closes: #1129381)
* d/control:
- Update Standards-Version to 4.7.3, drop Priority field
- Update Build-Depends and Depends
- Drop redundant Rules-Requires-Root
- Add Static-Built-Using
* Update d/watch to ignore pre-release versions
Checksums-Sha1:
f99fcd73fc72a41ed41630e58130061de6b8b5e0 2609 nats-server_2.12.4-1.dsc
d02184cfef04dea439198e32425b44347afbfeaa 2643098 nats-server_2.12.4.orig.tar.gz
77d7e4cea2e8dd97f5f433b6a5182a16cfd39926 3492
nats-server_2.12.4-1.debian.tar.xz
0f31d55470386e8c125c264225634b384e7b1a8f 7846
nats-server_2.12.4-1_amd64.buildinfo
Checksums-Sha256:
4ad4e9d2577fd12dc711d4a1cd8ca9edd71c80195f89ad8e0b11ad0501676ed1 2609
nats-server_2.12.4-1.dsc
df0baaf9d5db37ad4bebc222fe905d16d80a24fbad3f26e803b286c8489ddbc0 2643098
nats-server_2.12.4.orig.tar.gz
fc94ed43e36b5bea9d2e1de343db7eb3100df69da0ab9aca814a117ec0471ecb 3492
nats-server_2.12.4-1.debian.tar.xz
ff197bac437e8fbcff04df4ee563b90cf489581b1b118f453de65f9e01fa035d 7846
nats-server_2.12.4-1_amd64.buildinfo
Files:
f910ca28ec40a70e0ba9937c5f3fa321 2609 golang optional nats-server_2.12.4-1.dsc
37201c5805096f597eb6fcda1624e7aa 2643098 golang optional
nats-server_2.12.4.orig.tar.gz
730daf5c1be0c34aacebac575e0a9ca3 3492 golang optional
nats-server_2.12.4-1.debian.tar.xz
db47e3d545df8189d1900f4243d6e071 7846 golang optional
nats-server_2.12.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEE1Bp60H32xfynSJ8cKe7i1uz0QvkFAmmkvXwSHGdpYm1hdEBk
ZWJpYW4ub3JnAAoJECnu4tbs9EL5aqEQAK64dWAoZ0wlTS6+EZlMcSPyoFmslrf3
zt5FmNOjRDfiTP//atND0p6+/sHSTI94HBl8BgOoEoABgn1PxrR/GyynQJ/E7QLi
GJ9TRiDXVtTDKpemTBMFH8+G8t9csHKTkfoFyzWFKrusyxpPYoQ3HoLxJBBpTMB8
o99/sI+NsZuQLUZeCf9+n+6s/h3mSW6CrmkzeK+kKsRhoLDWUQYFXaR/errhMZJk
fjuOv79Ayl50XbaNN0h/XOtAc4OukE+XR4nffh2kbMGdpTT3S7TzTF18b/8jiNw+
XEG2FtclhPgbvrTrM+xMu+I+BXwIBVJ10/csO822JF6i5WQQBNb44pwCRsfAdRbp
M+gkhX0DA4vRsXPvJMJvrB/kLZ+r4lou7qMeGPrScsvkR4xlOT/r+DfZoWyVcDaL
GaXLNYP/6K9khZk3Ffvd2dKuHQGiGENNQi3VGnw0IHiQSMvniuZ1/00P5jZuvltg
Dxvrp7fO+RrtrOYnSSZO+cd87afoMquxfBQ4/3FQcLEWkfi3e2euDU8zsSwgRDsU
HT+8So9L5+SoMdlbsY+bpzh/cJ5bdujgA/CjrkwFe/VGNZMwGVVG1BAr0hje1s5r
SOeLaAD9pkI20NhbzmlIzpm66ypGCLifR9kL1g8wEJlHgJwtwVl6PEbM0wpJ/Iax
4KWfJR4pIfep
=Zlh8
-----END PGP SIGNATURE-----
pgpCqqnRCIjpe.pgp
Description: PGP signature
--- End Message ---
