Bug#953049: marked as done (qtwebsockets-opensource-src: CVE-2018-21035: QWebsocket large frame/message issue, denial of service)
Your message dated Sun, 10 Jan 2021 00:13:28 +0100
with message-id <X/o4mCXmRC62z2si@pisco.westfalen.local>
and subject line Re: qtwebsockets-opensource-src: CVE-2018-21035: QWebsocket large frame/message issue, denial of service
has caused the Debian Bug report #953049,
regarding qtwebsockets-opensource-src: CVE-2018-21035: QWebsocket large frame/message issue, denial of service
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
953049: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953049
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: qtwebsockets-opensource-src: CVE-2018-21035: QWebsocket large frame/message issue, denial of service
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Tue, 03 Mar 2020 20:57:01 +0100
- Message-id: <158326542143.2066792.6126597825939720200.reportbug@eldamar.local>
Source: qtwebsockets-opensource-src
Version: 5.14.1-1
Severity: important
Tags: security upstream
Forwarded: https://bugreports.qt.io/browse/QTBUG-70693
Control: found -1 5.12.5-2
Control: found -1 5.11.3-5
Hi,
The following vulnerability was published for qtwebsockets-opensource-src.
CVE-2018-21035[0]:
| In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB
| for frames and 2GB for messages. Smaller limits cannot be configured.
| This makes it easier for attackers to cause a denial of service
| (memory consumption).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-21035
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21035
[1] https://bugreports.qt.io/browse/QTBUG-70693
[2] https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
- To: 953049-done@bugs.debian.org
- Subject: Re: qtwebsockets-opensource-src: CVE-2018-21035: QWebsocket large frame/message issue, denial of service
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Sun, 10 Jan 2021 00:13:28 +0100
- Message-id: <X/o4mCXmRC62z2si@pisco.westfalen.local>
- In-reply-to: <158326542143.2066792.6126597825939720200.reportbug@eldamar.local>
- References: <158326542143.2066792.6126597825939720200.reportbug@eldamar.local>
Version: 5.15.1-2
Am Tue, Mar 03, 2020 at 08:57:01PM +0100 schrieb Salvatore Bonaccorso:
> Source: qtwebsockets-opensource-src
> Version: 5.14.1-1
> Severity: important
> Tags: security upstream
> Forwarded: https://bugreports.qt.io/browse/QTBUG-70693
> Control: found -1 5.12.5-2
> Control: found -1 5.11.3-5
>
> Hi,
>
> The following vulnerability was published for qtwebsockets-opensource-src.
>
> CVE-2018-21035[0]:
> | In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB
> | for frames and 2GB for messages. Smaller limits cannot be configured.
> | This makes it easier for attackers to cause a denial of service
> | (memory consumption).
Fixed in https://github.com/qt/qtwebsockets/commit/ed93680f34e92ad0383aa4e610bb65689118ca93
Cheers,
Moritz
--- End Message ---
Reply to: