libwebsockets - Debian Package Tracker

general

source: libwebsockets (main)
version: 4.3.5-4.1
maintainer: Laszlo Boszormenyi (GCS) (DMD)
uploaders: Peter Pentchev [DMD]
arch: all any
std-ver: 4.7.2
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.0.20-2
o-o-sec: 4.0.20-2+deb11u1
oldstable: 4.1.6-3
stable: 4.3.5-1+deb13u1
testing: 4.3.5-4.1
unstable: 4.3.5-4.1

versioned links

4.0.20-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.20-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.1.6-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.3.5-1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.3.5-4.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libwebsockets-dev
libwebsockets-evlib-ev
libwebsockets-evlib-glib
libwebsockets-evlib-uv
libwebsockets-test-server
libwebsockets-test-server-common
libwebsockets19t64

action needed

A new upstream version is available: 4.5.8 high

A new upstream version 4.5.8 is available, you should consider packaging it.

Created: 2026-05-13 Last update: 2026-06-03 22:00

3 security issues in bookworm high

There are 3 open security issues in bookworm.

1 important issue:

CVE-2026-10650: A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.

2 issues left for the package maintainer to handle:

CVE-2025-11677: (needs triaging) Use After Free in WebSocket server implementation in lws_handshake_server in warmcat libwebsockets may allow an attacker, in specific configurations where the user provides a callback function that handles LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, to achieve denial of service.
CVE-2025-11678: (needs triaging) Stack-based Buffer Overflow in lws_adns_parse_label in warmcat libwebsockets allows, when the LWS_WITH_SYS_ASYNC_DNS flag is enabled during compilation, to overflow the label_stack, when the attacker is able to sniff a DNS request in order to craft a response with a matching id containing a label longer than the maximum.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-10-21 Last update: 2026-06-03 13:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-10650: A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.

Created: 2026-06-03 Last update: 2026-06-03 13:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-10650: A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.

Created: 2026-06-03 Last update: 2026-06-03 13:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-10650: A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.

Created: 2026-06-03 Last update: 2026-06-03 13:30

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-10650: A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue.

Created: 2026-06-03 Last update: 2026-06-03 13:30

lintian reports 4 warnings normal

Lintian reports 4 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-13 Last update: 2026-05-13 21:30

debian/patches: 3 patches to forward upstream low

Among the 4 debian patches available in version 4.3.5-4.1 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-10-28 Last update: 2026-05-13 13:34

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-05-13 10:33

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2026-05-18] libwebsockets 4.3.5-4.1 MIGRATED to testing (Debian testing watch)
[2026-05-13] Accepted libwebsockets 4.3.5-4.1 (source) into unstable (Gianfranco Costamagna)
[2026-03-17] libwebsockets 4.3.5-4 MIGRATED to testing (Debian testing watch)
[2026-03-14] Accepted libwebsockets 4.3.5-4 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-11-16] Accepted libwebsockets 4.0.20-2+deb11u1 (source) into oldoldstable-security (Utkarsh Gupta)
[2025-11-06] Accepted libwebsockets 4.3.5-1+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2025-10-30] libwebsockets 4.3.5-3 MIGRATED to testing (Debian testing watch)
[2025-10-27] Accepted libwebsockets 4.3.5-3 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-10-04] libwebsockets 4.3.5-2 MIGRATED to testing (Debian testing watch)
[2025-10-01] Accepted libwebsockets 4.3.5-2 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-03-11] libwebsockets 4.3.5-1 MIGRATED to testing (Debian testing watch)
[2025-03-08] Accepted libwebsockets 4.3.5-1 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2024-05-02] libwebsockets 4.3.3-1.1 MIGRATED to testing (Debian testing watch)
[2024-03-01] Accepted libwebsockets 4.3.3-1.1 (source) into unstable (Steve Langasek)
[2024-02-02] Accepted libwebsockets 4.3.3-1.1~exp1 (source) into experimental (Steve Langasek)
[2024-01-08] libwebsockets 4.3.3-1 MIGRATED to testing (Debian testing watch)
[2024-01-02] Accepted libwebsockets 4.3.3-1 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2023-08-26] libwebsockets 4.3.2-4 MIGRATED to testing (Debian testing watch)
[2023-08-23] Accepted libwebsockets 4.3.2-4 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2023-07-27] libwebsockets 4.3.2-3 MIGRATED to testing (Debian testing watch)
[2023-07-24] Accepted libwebsockets 4.3.2-3 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2023-07-23] Accepted libwebsockets 4.3.2-2 (source) into experimental (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2023-07-23] libwebsockets 4.1.6-3.1 MIGRATED to testing (Debian testing watch)
[2023-07-20] Accepted libwebsockets 4.1.6-3.1 (source) into unstable (Gianfranco Costamagna)
[2022-08-23] Accepted libwebsockets 4.3.2-1 (source amd64 all) into experimental, experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2022-08-09] libwebsockets 4.1.6-3 MIGRATED to testing (Debian testing watch)
[2022-08-07] Accepted libwebsockets 4.1.6-3 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2022-08-06] Accepted libwebsockets 4.1.6-2 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2022-05-13] libwebsockets 4.0.20-3 MIGRATED to testing (Debian testing watch)
[2022-05-10] Accepted libwebsockets 4.0.20-3 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)

bugs [bug history graph]

all: 4
RC: 0
I&N: 3
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 4)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.3.5-4.1