CVE-2020-13962

NameCVE-2020-13962
DescriptionQt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qtbase-opensource-src (PTS)bullseye5.15.2+dfsg-9+deb11u1fixed
bookworm5.15.8+dfsg-11+deb12u2fixed
sid, trixie5.15.15+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qtbase-opensource-srcsourcejessie(not affected)
qtbase-opensource-srcsourcestretch(not affected)
qtbase-opensource-srcsourcebuster(not affected)
qtbase-opensource-srcsource(unstable)5.14.2+dfsg-6

Notes

[buster] - qtbase-opensource-src <not-affected> (Only affects 5.12.2 and later)
[stretch] - qtbase-opensource-src <not-affected> (Only affects 5.12.2 and later)
[jessie] - qtbase-opensource-src <not-affected> (Only affects 5.12.2 and later)
https://bugreports.qt.io/browse/QTBUG-83450
https://github.com/mumble-voip/mumble/issues/3679
https://github.com/mumble-voip/mumble/pull/4032

Search for package or bug name: Reporting problems