libcoap3 - Debian Package Tracker

general

source: libcoap3 (main)
version: 4.3.5-2
maintainer: Debian IoT Maintainers (archive) (DMD)
uploaders: Thorsten Alteholz [DMD]
arch: all any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 4.3.1-1
stable: 4.3.4-1.1+deb13u1
testing: 4.3.5-1
unstable: 4.3.5-2

versioned links

4.3.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.3.4-1.1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.3.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.3.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libcoap3-bin
libcoap3-dev
libcoap3-doc
libcoap3t64

action needed

Marked for autoremoval on 08 January: #1122433 high

Version 4.3.5-1 of libcoap3 is marked for autoremoval from testing on Thu 08 Jan 2026. It is affected by #1122433. You should try to prevent the removal by fixing these RC bugs.

Created: 2025-12-17 Last update: 2025-12-23 19:45

10 security issues in forky high

There are 10 open security issues in forky.

10 important issues:

CVE-2025-59391: A memory disclosure vulnerability exists in libcoap's OSCORE configuration parser in libcoap before release-4.3.5-patches. An out-of-bounds read may occur when parsing certain configuration values, allowing an attacker to infer or read memory beyond string boundaries in the .rodata section. This could potentially lead to information disclosure or denial of service.
CVE-2025-65493: NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS/TLS connection that triggers BIO_get_data() to return NULL.
CVE-2025-65494: NULL pointer dereference in get_san_or_cn_from_cert() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted X.509 certificate that causes sk_GENERAL_NAME_value() to return NULL.
CVE-2025-65495: Integer signedness error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted TLS certificate that causes i2d_X509() to return -1 and be misused as a malloc() size parameter.
CVE-2025-65496: NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65497: NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65498: NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65499: Array index error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_ex_data_X509_STORE_CTX_idx() to return -1.
CVE-2025-65500: NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65501: Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a DTLS handshake where SSL_get_app_data() returns NULL.

Created: 2025-11-24 Last update: 2025-12-21 16:30

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-12-22 Last update: 2025-12-22 00:31

debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 4.3.5-2 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-12-21 Last update: 2025-12-21 22:30

11 low-priority security issues in trixie low

There are 11 open security issues in trixie.

10 issues left for the package maintainer to handle:

CVE-2025-59391: (needs triaging) A memory disclosure vulnerability exists in libcoap's OSCORE configuration parser in libcoap before release-4.3.5-patches. An out-of-bounds read may occur when parsing certain configuration values, allowing an attacker to infer or read memory beyond string boundaries in the .rodata section. This could potentially lead to information disclosure or denial of service.
CVE-2025-65493: (needs triaging) NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS/TLS connection that triggers BIO_get_data() to return NULL.
CVE-2025-65494: (needs triaging) NULL pointer dereference in get_san_or_cn_from_cert() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted X.509 certificate that causes sk_GENERAL_NAME_value() to return NULL.
CVE-2025-65495: (needs triaging) Integer signedness error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted TLS certificate that causes i2d_X509() to return -1 and be misused as a malloc() size parameter.
CVE-2025-65496: (needs triaging) NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65497: (needs triaging) NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65498: (needs triaging) NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65499: (needs triaging) Array index error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_ex_data_X509_STORE_CTX_idx() to return -1.
CVE-2025-65500: (needs triaging) NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65501: (needs triaging) Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a DTLS handshake where SSL_get_app_data() returns NULL.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2024-46304: A NULL pointer dereference in libcoap v4.3.5-rc2 and below allows a remote attacker to cause a denial of service via the coap_handle_request_put_block function in src/coap_block.c.

Created: 2024-01-28 Last update: 2025-12-21 16:30

13 low-priority security issues in bookworm low

There are 13 open security issues in bookworm.

10 issues left for the package maintainer to handle:

CVE-2025-59391: (needs triaging) A memory disclosure vulnerability exists in libcoap's OSCORE configuration parser in libcoap before release-4.3.5-patches. An out-of-bounds read may occur when parsing certain configuration values, allowing an attacker to infer or read memory beyond string boundaries in the .rodata section. This could potentially lead to information disclosure or denial of service.
CVE-2025-65493: (needs triaging) NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS/TLS connection that triggers BIO_get_data() to return NULL.
CVE-2025-65494: (needs triaging) NULL pointer dereference in get_san_or_cn_from_cert() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted X.509 certificate that causes sk_GENERAL_NAME_value() to return NULL.
CVE-2025-65495: (needs triaging) Integer signedness error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted TLS certificate that causes i2d_X509() to return -1 and be misused as a malloc() size parameter.
CVE-2025-65496: (needs triaging) NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65497: (needs triaging) NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65498: (needs triaging) NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65499: (needs triaging) Array index error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_ex_data_X509_STORE_CTX_idx() to return -1.
CVE-2025-65500: (needs triaging) NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL.
CVE-2025-65501: (needs triaging) Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a DTLS handshake where SSL_get_app_data() returns NULL.

You can find information about how to handle these issues in the security team's documentation.

3 ignored issues:

CVE-2023-30362: Buffer Overflow vulnerability in coap_send function in libcoap library 4.3.1-103-g52cfd56 fixed in 4.3.1-120-ge242200 allows attackers to obtain sensitive information via malformed pdu.
CVE-2024-31031: An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to cause undefined behavior via a sequence of messages leading to unsigned integer overflow.
CVE-2024-46304: A NULL pointer dereference in libcoap v4.3.5-rc2 and below allows a remote attacker to cause a denial of service via the coap_handle_request_put_block function in src/coap_block.c.

Created: 2023-07-07 Last update: 2025-12-21 16:30

testing migrations

excuses:
- Migration status for libcoap3 (4.3.5-1 to 4.3.5-2): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 3 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Updating libcoap3 will fix bugs in testing: #1122433
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/libc/libcoap3.html
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- Not considered

news

[rss feed]

[2025-12-21] Accepted libcoap3 4.3.5-2 (source) into unstable (Thorsten Alteholz)
[2025-08-31] libcoap3 4.3.5-1 MIGRATED to testing (Debian testing watch)
[2025-08-30] Accepted libcoap3 4.3.4-1.1+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Thorsten Alteholz)
[2025-08-26] Accepted libcoap3 4.3.5-1 (source) into unstable (Thorsten Alteholz)
[2024-05-03] libcoap3 4.3.4-1.1 MIGRATED to testing (Debian testing watch)
[2024-03-17] libcoap3 REMOVED from testing (Debian testing watch)
[2024-02-29] Accepted libcoap3 4.3.4-1.1 (source) into unstable (Benjamin Drung)
[2024-01-31] Accepted libcoap3 4.3.4-1.1~exp1 (source) into experimental (Steve Langasek)
[2023-11-03] libcoap3 4.3.4-1 MIGRATED to testing (Debian testing watch)
[2023-10-29] Accepted libcoap3 4.3.4-1 (source) into unstable (Carsten Schoenert)
[2023-09-22] libcoap3 4.3.3-1 MIGRATED to testing (Debian testing watch)
[2023-09-16] Accepted libcoap3 4.3.3-1 (source) into unstable (Carsten Schoenert)
[2023-07-13] libcoap3 4.3.1-2 MIGRATED to testing (Debian testing watch)
[2023-07-08] Accepted libcoap3 4.3.1-2 (source) into unstable (Carsten Schoenert)
[2022-12-03] libcoap3 4.3.1-1 MIGRATED to testing (Debian testing watch)
[2022-11-28] Accepted libcoap3 4.3.1-1 (source) into unstable (Carsten Schoenert)
[2021-10-22] libcoap3 4.3.0-2 MIGRATED to testing (Debian testing watch)
[2021-10-17] Accepted libcoap3 4.3.0-2 (source) into unstable (Carsten Schoenert)
[2021-09-23] libcoap3 4.3.0-1 MIGRATED to testing (Debian testing watch)
[2021-09-17] Accepted libcoap3 4.3.0-1 (source) into unstable (Carsten Schoenert)
[2021-08-16] Accepted libcoap3 4.3.0-1~exp1 (source amd64 all) into experimental, experimental (Debian FTP Masters) (signed by: Carsten Schoenert)
[2021-08-16] Accepted libcoap3 4.3.0~rc2-1 (source amd64 all) into experimental, experimental (Debian FTP Masters) (signed by: Carsten Schoenert)

bugs [bug history graph]

all: 1
RC: 0
I&N: 0
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.3.5-2