libwebsockets - Debian Package Tracker

general

source: libwebsockets (main)
version: 4.3.5-3
maintainer: Laszlo Boszormenyi (GCS) (DMD)
uploaders: Peter Pentchev [DMD]
arch: all any
std-ver: 4.7.2
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.0.20-2
oldstable: 4.1.6-3
stable: 4.3.5-1
stable-p-u: 4.3.5-1+deb13u1
testing: 4.3.5-3
unstable: 4.3.5-3

versioned links

4.0.20-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.1.6-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.3.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.3.5-1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.3.5-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libwebsockets-dev
libwebsockets-evlib-ev
libwebsockets-evlib-glib
libwebsockets-evlib-uv
libwebsockets-test-server
libwebsockets-test-server-common
libwebsockets19t64

action needed

Multiarch hinter reports 1 issue(s) high

There are issues with the multiarch metadata for this package.

libwebsockets-dev conflicts on /usr/include/lws_config.h on any two of amd64, arm64, armel, armhf, and 4 more

Created: 2022-08-06 Last update: 2025-11-08 07:00

A new upstream version is available: 4.4.1 high

A new upstream version 4.4.1 is available, you should consider packaging it.

Created: 2025-07-18 Last update: 2025-11-08 05:00

2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:

CVE-2025-11677: Use After Free in WebSocket server implementation in lws_handshake_server in warmcat libwebsockets may allow an attacker, in specific configurations where the user provides a callback function that handles LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, to achieve denial of service.
CVE-2025-11678: Stack-based Buffer Overflow in lws_adns_parse_label in warmcat libwebsockets allows, when the LWS_WITH_SYS_ASYNC_DNS flag is enabled during compilation, to overflow the label_stack, when the attacker is able to sniff a DNS request in order to craft a response with a matching id containing a label longer than the maximum.

Created: 2025-10-21 Last update: 2025-11-05 21:30

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-10-28 Last update: 2025-10-28 09:31

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2025-11677: (needs triaging) Use After Free in WebSocket server implementation in lws_handshake_server in warmcat libwebsockets may allow an attacker, in specific configurations where the user provides a callback function that handles LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, to achieve denial of service.
CVE-2025-11678: (needs triaging) Stack-based Buffer Overflow in lws_adns_parse_label in warmcat libwebsockets allows, when the LWS_WITH_SYS_ASYNC_DNS flag is enabled during compilation, to overflow the label_stack, when the attacker is able to sniff a DNS request in order to craft a response with a matching id containing a label longer than the maximum.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-10-21 Last update: 2025-11-05 21:30

debian/patches: 2 patches to forward upstream low

Among the 3 debian patches available in version 4.3.5-3 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-10-28 Last update: 2025-10-28 12:01

news

[rss feed]

[2025-11-06] Accepted libwebsockets 4.3.5-1+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2025-10-30] libwebsockets 4.3.5-3 MIGRATED to testing (Debian testing watch)
[2025-10-27] Accepted libwebsockets 4.3.5-3 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-10-04] libwebsockets 4.3.5-2 MIGRATED to testing (Debian testing watch)
[2025-10-01] Accepted libwebsockets 4.3.5-2 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-03-11] libwebsockets 4.3.5-1 MIGRATED to testing (Debian testing watch)
[2025-03-08] Accepted libwebsockets 4.3.5-1 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2024-05-02] libwebsockets 4.3.3-1.1 MIGRATED to testing (Debian testing watch)
[2024-03-01] Accepted libwebsockets 4.3.3-1.1 (source) into unstable (Steve Langasek)
[2024-02-02] Accepted libwebsockets 4.3.3-1.1~exp1 (source) into experimental (Steve Langasek)
[2024-01-08] libwebsockets 4.3.3-1 MIGRATED to testing (Debian testing watch)
[2024-01-02] Accepted libwebsockets 4.3.3-1 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2023-08-26] libwebsockets 4.3.2-4 MIGRATED to testing (Debian testing watch)
[2023-08-23] Accepted libwebsockets 4.3.2-4 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2023-07-27] libwebsockets 4.3.2-3 MIGRATED to testing (Debian testing watch)
[2023-07-24] Accepted libwebsockets 4.3.2-3 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2023-07-23] Accepted libwebsockets 4.3.2-2 (source) into experimental (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2023-07-23] libwebsockets 4.1.6-3.1 MIGRATED to testing (Debian testing watch)
[2023-07-20] Accepted libwebsockets 4.1.6-3.1 (source) into unstable (Gianfranco Costamagna)
[2022-08-23] Accepted libwebsockets 4.3.2-1 (source amd64 all) into experimental, experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2022-08-09] libwebsockets 4.1.6-3 MIGRATED to testing (Debian testing watch)
[2022-08-07] Accepted libwebsockets 4.1.6-3 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2022-08-06] Accepted libwebsockets 4.1.6-2 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2022-05-13] libwebsockets 4.0.20-3 MIGRATED to testing (Debian testing watch)
[2022-05-10] Accepted libwebsockets 4.0.20-3 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2021-02-22] libwebsockets 4.0.20-2 MIGRATED to testing (Debian testing watch)
[2021-02-22] libwebsockets 4.0.20-2 MIGRATED to testing (Debian testing watch)
[2021-02-11] Accepted libwebsockets 4.0.20-2 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2020-12-11] Accepted libwebsockets 4.1.6-1 (source) into experimental (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2020-10-29] Accepted libwebsockets 4.1.4-1 (source) into experimental (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)

bugs [bug history graph]

all: 3
RC: 0
I&N: 2
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 4)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.3.5-3
2 bugs