CVE-2018-21035

NameCVE-2018-21035
DescriptionIn Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs953049

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qtwebsockets-opensource-src (PTS)stretch5.7.1~20161021-4vulnerable
buster5.11.3-5vulnerable
bullseye, sid5.15.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qtwebsockets-opensource-srcsource(unstable)(unfixed)low953049

Notes

[buster] - qtwebsockets-opensource-src <ignored> (Minor issue)
[stretch] - qtwebsockets-opensource-src <ignored> (Minor issue)
[jessie] - qtwebsockets-opensource-src <no-dsa> (Minor issue)
https://bugreports.qt.io/browse/QTBUG-70693
https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735

Search for package or bug name: Reporting problems