CVE-2018-21035

NameCVE-2018-21035
DescriptionIn Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs953049

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qtwebsockets-opensource-src (PTS)buster5.11.3-5vulnerable
bullseye5.15.2-2fixed
bookworm5.15.8-2fixed
sid, trixie5.15.10-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qtwebsockets-opensource-srcsource(unstable)5.15.1-2low953049

Notes

[buster] - qtwebsockets-opensource-src <ignored> (Minor issue, fix adds new API only)
[stretch] - qtwebsockets-opensource-src <ignored> (Minor issue)
[jessie] - qtwebsockets-opensource-src <no-dsa> (Minor issue)
https://bugreports.qt.io/browse/QTBUG-70693
https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735
https://github.com/qt/qtwebsockets/commit/ed93680f34e92ad0383aa4e610bb65689118ca93
Search for package or bug name: Reporting problems