Debian Package Tracker
Register | Log in
Subscribe

open62541

Choose email to subscribe with

general
  • source: open62541 (main)
  • version: 1.4.11.1-1
  • maintainer: Julius Pfrommer (DMD)
  • arch: all any
  • std-ver: 4.7.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • stable: 1.4.11.1-1
  • testing: 1.4.11.1-1
  • unstable: 1.4.11.1-1
versioned links
  • 1.4.11.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libopen62541-1.4
  • libopen62541-1.4-dev
  • libopen62541-1.4-tools
action needed
A new upstream version is available: 1.5.5 high
A new upstream version 1.5.5 is available, you should consider packaging it.
Created: 2025-11-26 Last update: 2026-07-07 07:34
2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:
  • CVE-2026-11946: An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32 length field) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configurations. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
  • CVE-2026-33592: An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length or array size. An attacker can declare an arbitrarily large string (up to ~3.9 GB) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configuration. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
Created: 2026-07-03 Last update: 2026-07-06 11:00
2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:
  • CVE-2026-11946: An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32 length field) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configurations. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
  • CVE-2026-33592: An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length or array size. An attacker can declare an arbitrarily large string (up to ~3.9 GB) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configuration. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
Created: 2026-07-03 Last update: 2026-07-06 11:00
version in VCS is newer than in repository, is it time to upload? normal
vcswatch reports that this package seems to have a new changelog entry (version 1.4.14-1, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.
Created: 2025-05-16 Last update: 2026-07-05 19:02
Multiarch hinter reports 1 issue(s) low
There are issues with the multiarch metadata for this package.
  • libopen62541-1.4-tools could be marked Multi-Arch: foreign
Created: 2025-03-16 Last update: 2026-07-07 04:31
2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:
  • CVE-2026-11946: (needs triaging) An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32 length field) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configurations. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
  • CVE-2026-33592: (needs triaging) An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length or array size. An attacker can declare an arbitrarily large string (up to ~3.9 GB) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configuration. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-07-03 Last update: 2026-07-06 11:00
debian/patches: 2 patches to forward upstream low

Among the 2 debian patches available in version 1.4.11.1-1 of the package, we noticed the following issues:

  • 2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2025-03-25 Last update: 2025-03-25 08:01
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).
Created: 2025-12-23 Last update: 2026-03-31 15:01
news
[rss feed]
  • [2025-03-30] open62541 1.4.11.1-1 MIGRATED to testing (Debian testing watch)
  • [2025-03-24] Accepted open62541 1.4.11.1-1 (source) into unstable (Julius Pfrommer) (signed by: Soren Stoutner)
  • [2025-03-15] Accepted open62541 1.4.6-1 (source amd64 all) into unstable (Debian FTP Masters) (signed by: Soren Stoutner)
bugs [bug history graph]
  • all: 1
  • RC: 0
  • I&N: 1
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debian patches
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.4.11.1-1build1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing