CVE-2020-13962

NameCVE-2020-13962
DescriptionQt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qtbase-opensource-src (PTS)stretch (security), stretch5.7.1+dfsg-3+deb9u2fixed
buster, buster (security)5.11.3+dfsg1-1+deb10u3fixed
bullseye5.14.2+dfsg-4vulnerable
sid5.14.2+dfsg-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qtbase-opensource-srcsourcejessie(not affected)
qtbase-opensource-srcsourcestretch(not affected)
qtbase-opensource-srcsourcebuster(not affected)
qtbase-opensource-srcsource(unstable)(unfixed)

Notes

[buster] - qtbase-opensource-src <not-affected> (Only affects 5.12.2 and later)
[stretch] - qtbase-opensource-src <not-affected> (Only affects 5.12.2 and later)
[jessie] - qtbase-opensource-src <not-affected> (Only affects 5.12.2 and later)
https://bugreports.qt.io/browse/QTBUG-83450
https://github.com/mumble-voip/mumble/issues/3679
https://github.com/mumble-voip/mumble/pull/4032

Search for package or bug name: Reporting problems