Your message dated Sun, 07 Jun 2026 07:04:53 +0000
with message-id <[email protected]>
and subject line Bug#1139178: fixed in libwebsockets 4.3.5-5
has caused the Debian Bug report #1139178,
regarding libwebsockets: CVE-2026-10650
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139178: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139178
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libwebsockets
Version: 4.3.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libwebsockets.
CVE-2026-10650[0]:
| A flaw has been found in warmcat libwebsockets up to 4.5.8. This
| issue affects the function lws_ssh_parse_plaintext of the file
| plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol
| Handler. Executing a manipulation of the argument msg_len can lead
| to resource consumption. The attack may be launched remotely. The
| exploit has been published and may be used. This patch is called
| 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied
| to remediate this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-10650
https://www.cve.org/CVERecord?id=CVE-2026-10650
[1]
https://libwebsockets.org/git/libwebsockets/commit?id=3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libwebsockets
Source-Version: 4.3.5-5
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libwebsockets, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated libwebsockets
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Jun 2026 01:17:52 +0200
Source: libwebsockets
Architecture: source
Version: 4.3.5-5
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1139178
Changes:
libwebsockets (4.3.5-5) unstable; urgency=high
.
* Backport upstream security fix for CVE-2026-10650: resource consumption
in the lws_ssh_parse_plaintext() function (closes: #1139178).
Checksums-Sha1:
c331444d90fe87291056736090c109f49ba05691 2547 libwebsockets_4.3.5-5.dsc
9ce579b1845d7feed6c9967f50698de09baecec6 24588
libwebsockets_4.3.5-5.debian.tar.xz
Checksums-Sha256:
5d806a726334d48c2b1a1618bd39067ced28266f217c036eb04cf935dc94e619 2547
libwebsockets_4.3.5-5.dsc
d2da8b60070e08572325601eaa0e83a45db5fe19a72ea21e144d232b41e5104d 24588
libwebsockets_4.3.5-5.debian.tar.xz
Files:
3c76cf6e7cbd634021f44b38f2bd67e6 2547 libs optional libwebsockets_4.3.5-5.dsc
5beb5672a39885ca5f8f3962813eaded 24588 libs optional
libwebsockets_4.3.5-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmolE/cACgkQ3OMQ54ZM
yL+QIA/+JMMs7449xuOLFDe9Pn0RqXnLqNv9pUSmo4+DzOv9Tjp5DG6JMskWwFL7
i8TIef1sr/2bQKt059DSMYkX03Wxb4i6vJgttDZp2+4eqxg7tO1mofUhn3BGLu0j
EHlHf7Tci3xOR66H+dIkM5EpbY1PsGN49/aKlA7OcYVfIuDYCSrCa9gHu4OzMwK5
+FYHWWVjm40FocQpDunURUScIhHwBYLA6FqdWkYn9YasdwKo8U/1T1mLkzSaDLaj
LJs1BmOEErhImwCIsJgNnVL0/kR6+ru/lPp2HmzZwvRQNd261wP443ZR/3vPCOnS
TSvqOPfS4x7agA4Ts8qrizhsoRkryAVPO037ol1+wH9sQaSZ/UpL73W3slTyY+Gf
+wnN9gY868NAoci+SnWeCapG+y8AqHNfnH/s2zSryJF0PeeWeKP8VfG6hXyLM5wU
zLqNOhqC7W2edis9nrjIRVrT2RJE58ggPNRtj06jCz5iesXWUJjbOmq9ycEvpHje
+j6eNVKS8aZPtTippfsQW3IUdeCI2AjOxRehbllJq9JRuQeNJfPxxd1uLwKdJeMk
tr4XRQtaF247EfNrBWOA3d4WxsfhEgkupYt0sE9u97S/xv4KR5PFSnhJY8Vr1QbL
JyC3+goivHLu3k5v2VaVjdjjgJXmayXGL6yNeAuhTOx666mQiOs=
=Fon9
-----END PGP SIGNATURE-----
pgpWkluSR_QOr.pgp
Description: PGP signature
--- End Message ---