[SECURITY] [DLA 4373-1] libwebsockets security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4373-1] libwebsockets security update
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Mon, 17 Nov 2025 23:25:37 +0100
Message-id: <[🔎] CAPP0f9462aKPpeTk-6syXLWCvJs4szb4tEvKZnY_qWU6CwWcCA@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4373-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
November 17, 2025                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : libwebsockets
Version        : 4.0.20-2+deb11u1
CVE ID         : CVE-2025-11677 CVE-2025-11678
Debian Bug     : 1118746 1118747

Libwebsockets (LWS) is a flexible, lightweight pure C library for
implementing modern network protocols easily with a tiny footprint,
using a nonblocking event loop.

CVE-2025-11677

    Use After Free in WebSocket server implementation in
    lws_handshake_server in warmcat libwebsockets may allow an attacker,
    in specific configurations where the user provides a callback
    function that handles LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, to achieve
    denial of service.

CVE-2025-11678

    Stack-based Buffer Overflow in lws_adns_parse_label in warmcat
    libwebsockets allows, when the LWS_WITH_SYS_ASYNC_DNS flag is
    enabled during compilation, to overflow the label_stack, when the
    attacker is able to sniff a DNS request in order to craft a response
    with a matching ID containing a label longer than the maximum.

For Debian 11 bullseye, these problems have been fixed in version
4.0.20-2+deb11u1.

We recommend that you upgrade your libwebsockets packages.

For the detailed security status of libwebsockets please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libwebsockets

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmkboMwACgkQgj6WdgbD
S5Z+Dw//VTWMBsEZb+3PBY0CzTaLU7aTwJUC+V6rYf1nSlzn+faqeOKA1Ss2pu4H
cm4Kq/iclUVbyy/l3o4rFW6BBZs+NWUs/U9LQ1pkTcLhEu7trzkll0kaXssqK9nX
wsydcuO4Hz+9y3vWV7baXx6bLVFKB0hMHrM+PYqbNTkpzhu/+B8VZI07b4MwIsjX
oYdWn0yNpWTFKjFqXGduBOIxycOkDceuObFwEQeIHN4YTYepdfdJ78znsGM07Dws
3nvXY2JSRrtdy19tRr+AMBYAUu+jG6HHBA/C6NIFIoJ9w6IeNKPsBRX0N0Q4H2oC
ZLkGxGDPBw3svQuLd1D3T2Cz2PeeZ+gjfNMAkh6neQeZ7rGivvijnpDTDKkeNJDE
s+FrT/yaGA2rjEKcnEpB+Hu+T8VYRMhsbPHp3Ha2qcrC0Fr0FEtg3O+kjIpdbtmy
QU/bS1pJeIciRtP7lOA8zN0tJpRopjJFU93FksY+lk1wQvBhCcTAmJc73o/QM+16
ay6V8qvXwM6AGqoX9UP6nUy/Ql+PslkPSWOAlvtdUg3fs0B4JcGLJYf9c6EG4XpS
BYnum6oacnt0JKX9AIZAa1qMoUJaLszXx61rn7BAsnIybdtElYU0nFlVSzhUSf9e
py2eWhMmDnWMWc2EYQe2rRG1804du3AO1bYODTdxCaWc4i3WwK8=
=QXQ1
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4372-1] thunderbird security update
Next by Date: [SECURITY] [DLA 4374-1] pdfminer security update
Previous by thread: [SECURITY] [DLA 4372-1] thunderbird security update
Next by thread: [SECURITY] [DLA 4374-1] pdfminer security update
Index(es):
- Date
- Thread