swupdate - Debian Package Tracker

general

source: swupdate (main)
version: 2025.12+dfsg-10
maintainer: Bastian Germann (DMD) (LowNMU)
uploaders: Nobuhiro Iwamatsu [DMD] – SZ Lin (林上智) [DMD]
arch: all any
std-ver: 4.6.0.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2020.11-2+deb11u1
oldstable: 2022.12+dfsg-4+deb12u2
old-bpo: 2024.12.1+dfsg-3~bpo12+1
stable: 2024.12.1+dfsg-3+deb13u2
stable-bpo: 2025.12+dfsg-7~bpo13+1
testing: 2025.12+dfsg-8
unstable: 2025.12+dfsg-10

versioned links

2020.11-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2022.12+dfsg-4+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2024.12.1+dfsg-3~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2024.12.1+dfsg-3+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2025.12+dfsg-2~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2025.12+dfsg-7~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2025.12+dfsg-8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2025.12+dfsg-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libswupdate-dev
libswupdate0.1
lua-swupdate
swupdate (1 bugs: 0, 0, 1, 0)
swupdate-doc
swupdate-www

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:03:39
Last run: 2024-11-30T17:46:39.000Z
Previous status: unknown

testing: fail (log)
The tests ran in 0:04:19
Last run: 2024-12-05T07:20:14.000Z
Previous status: unknown

stable: neutral (log)
The tests ran in 0:00:14
Last run: 2025-08-11T08:45:50.000Z
Previous status: unknown

Created: 2024-12-05 Last update: 2026-05-17 05:01

Marked for autoremoval on 12 June due to libwebsockets: #1133741 high

Version 2025.12+dfsg-8 of swupdate is marked for autoremoval from testing on Fri 12 Jun 2026. It depends (transitively) on libwebsockets, affected by #1133741. You should try to prevent the removal by fixing these RC bugs.

Created: 2026-04-21 Last update: 2026-05-17 04:32

9 security issues in forky high

There are 9 open security issues in forky.

9 important issues:

CVE-2026-2966: A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipulation of the argument random can lead to insufficiently random values. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-2967: A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-2968: A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-5244: A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the component TLS 1.3 Handler. Such manipulation of the argument pubkey leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.21 mitigates this issue. The name of the patch is 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-5245: A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts the function handle_mdns_record of the file mongoose.c of the component mDNS Record Handler. Performing a manipulation of the argument buf results in stack-based buffer overflow. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been made public and could be used. Upgrading to version 7.21 will fix this issue. The patch is named 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-5246: A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-6985: A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 7.21 is able to resolve this issue. Upgrading the affected component is advised. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
CVE-2026-6986: A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.21 is capable of addressing this issue. It is advisable to upgrade the affected component. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
CVE-2026-28525: SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read that writes data beyond the allocated receive buffer to a local IPC socket.

Created: 2026-05-02 Last update: 2026-05-16 15:30

21 security issues in bullseye high

There are 21 open security issues in bullseye.

8 important issues:

CVE-2019-12951: An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.
CVE-2019-13503: mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer over-read.
CVE-2019-19307: An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infinite loop), or possibly cause an out-of-bounds write, by sending a crafted MQTT protocol packet.
CVE-2020-25756: A buffer overflow vulnerability exists in the mg_get_http_header function in Cesanta Mongoose 6.18 due to a lack of bounds checking. A crafted HTTP header can exploit this bug. NOTE: a committer has stated "this will not happen in practice.
CVE-2020-25887: Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file.
CVE-2021-26528: The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connection request after exhausting memory pool.
CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.
CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.

13 issues postponed or untriaged:

CVE-2023-2905: (needs triaging) Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.
CVE-2026-2966: (needs triaging) A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipulation of the argument random can lead to insufficiently random values. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-2967: (needs triaging) A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-2968: (needs triaging) A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-5244: (needs triaging) A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the component TLS 1.3 Handler. Such manipulation of the argument pubkey leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.21 mitigates this issue. The name of the patch is 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-5245: (needs triaging) A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts the function handle_mdns_record of the file mongoose.c of the component mDNS Record Handler. Performing a manipulation of the argument buf results in stack-based buffer overflow. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been made public and could be used. Upgrading to version 7.21 will fix this issue. The patch is named 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-5246: (needs triaging) A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-6985: (needs triaging) A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 7.21 is able to resolve this issue. Upgrading the affected component is advised. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
CVE-2026-6986: (needs triaging) A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.21 is capable of addressing this issue. It is advisable to upgrade the affected component. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
CVE-2023-34188: (needs triaging) The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.
CVE-2025-51495: (needs triaging) An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket request, an attacker can cause the application to crash. If downstream vendors integrate this component improperly, the issue may lead to a buffer overflow.
CVE-2025-65502: (needs triaging) Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL.
CVE-2026-28525: (postponed; to be fixed through a stable update) SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing. Attackers can trigger an integer underflow in the mg_http_multipart_continue_wait_for_chunk() function when the buffer length falls within a specific range, causing an out-of-bounds heap read that writes data beyond the allocated receive buffer to a local IPC socket.

Created: 2026-05-11 Last update: 2026-05-16 15:30

12 security issues in bookworm high

There are 12 open security issues in bookworm.

2 important issues:

CVE-2023-2905: Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.
CVE-2023-34188: The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.

10 issues left for the package maintainer to handle:

CVE-2026-2966: (needs triaging) A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipulation of the argument random can lead to insufficiently random values. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-2967: (needs triaging) A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-2968: (needs triaging) A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-5244: (needs triaging) A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the component TLS 1.3 Handler. Such manipulation of the argument pubkey leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.21 mitigates this issue. The name of the patch is 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-5245: (needs triaging) A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts the function handle_mdns_record of the file mongoose.c of the component mDNS Record Handler. Performing a manipulation of the argument buf results in stack-based buffer overflow. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been made public and could be used. Upgrading to version 7.21 will fix this issue. The patch is named 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-5246: (needs triaging) A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-6985: (needs triaging) A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 7.21 is able to resolve this issue. Upgrading the affected component is advised. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
CVE-2026-6986: (needs triaging) A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.21 is capable of addressing this issue. It is advisable to upgrade the affected component. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
CVE-2025-51495: (needs triaging) An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket request, an attacker can cause the application to crash. If downstream vendors integrate this component improperly, the issue may lead to a buffer overflow.
CVE-2025-65502: (needs triaging) Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-11 Last update: 2026-05-16 15:30

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-05-12 Last update: 2026-05-17 04:32

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-05-17 04:30

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-03 Last update: 2026-05-03 00:31

10 low-priority security issues in trixie low

There are 10 open security issues in trixie.

10 issues left for the package maintainer to handle:

CVE-2026-2966: (needs triaging) A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipulation of the argument random can lead to insufficiently random values. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-2967: (needs triaging) A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-2968: (needs triaging) A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-5244: (needs triaging) A vulnerability has been found in Cesanta Mongoose up to 7.20. This affects the function mg_tls_recv_cert of the file mongoose.c of the component TLS 1.3 Handler. Such manipulation of the argument pubkey leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.21 mitigates this issue. The name of the patch is 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-5245: (needs triaging) A vulnerability was found in Cesanta Mongoose up to 7.20. This impacts the function handle_mdns_record of the file mongoose.c of the component mDNS Record Handler. Performing a manipulation of the argument buf results in stack-based buffer overflow. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been made public and could be used. Upgrading to version 7.21 will fix this issue. The patch is named 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-5246: (needs triaging) A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-6985: (needs triaging) A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 7.21 is able to resolve this issue. Upgrading the affected component is advised. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
CVE-2026-6986: (needs triaging) A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.21 is capable of addressing this issue. It is advisable to upgrade the affected component. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.
CVE-2025-51495: (needs triaging) An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket request, an attacker can cause the application to crash. If downstream vendors integrate this component improperly, the issue may lead to a buffer overflow.
CVE-2025-65502: (needs triaging) Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-02 Last update: 2026-05-16 15:30

debian/patches: 4 patches to forward upstream low

Among the 6 debian patches available in version 2025.12+dfsg-10 of the package, we noticed the following issues:

4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-05-07 08:05

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.6.0.1).

Created: 2022-05-11 Last update: 2026-05-06 21:16

testing migrations

This package will soon be part of the auto-libconfig transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for swupdate (2025.12+dfsg-8 to 2025.12+dfsg-10): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for swugenerator/0.6-7: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/s/swupdate.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 10 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-05-06] Accepted swupdate 2025.12+dfsg-10 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2026-05-05] Accepted swupdate 2022.12+dfsg-4+deb12u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: bage@debian.org)
[2026-05-05] Accepted swupdate 2024.12.1+dfsg-3+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: bage@debian.org)
[2026-05-02] Accepted swupdate 2025.12+dfsg-9 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2026-04-28] swupdate 2025.12+dfsg-8 MIGRATED to testing (Debian testing watch)
[2026-04-23] Accepted swupdate 2025.12+dfsg-7~bpo13+1 (source) into stable-backports (Bastian Germann) (signed by: bage@debian.org)
[2026-04-22] Accepted swupdate 2025.12+dfsg-8 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2026-04-21] swupdate 2025.12+dfsg-7 MIGRATED to testing (Debian testing watch)
[2026-04-16] Accepted swupdate 2025.12+dfsg-7 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2026-04-01] swupdate 2025.12+dfsg-6 MIGRATED to testing (Debian testing watch)
[2026-03-26] Accepted swupdate 2025.12+dfsg-6 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2026-03-23] Accepted swupdate 2025.12+dfsg-5 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2026-03-04] swupdate 2025.12+dfsg-4 MIGRATED to testing (Debian testing watch)
[2026-02-26] Accepted swupdate 2025.12+dfsg-4 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2026-02-22] swupdate 2025.12+dfsg-3 MIGRATED to testing (Debian testing watch)
[2026-02-12] Accepted swupdate 2025.12+dfsg-3 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2025-12-30] Accepted swupdate 2025.12+dfsg-2~bpo13+1 (source) into stable-backports (Bastian Germann) (signed by: bage@debian.org)
[2025-12-25] swupdate 2025.12+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-12-20] Accepted swupdate 2024.12.1+dfsg-3+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: bage@debian.org)
[2025-12-19] Accepted swupdate 2025.12+dfsg-2 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2025-12-08] Accepted swupdate 2025.12+dfsg-1 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2025-10-28] Accepted swupdate 2025.05+dfsg-3~bpo13+1 (source) into stable-backports (Bastian Germann) (signed by: bage@debian.org)
[2025-10-26] swupdate 2025.05+dfsg-3 MIGRATED to testing (Debian testing watch)
[2025-10-21] Accepted swupdate 2025.05+dfsg-3 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2025-09-04] Accepted swupdate 2025.05+dfsg-2~bpo13+1 (source amd64 all) into stable-backports (Debian FTP Masters) (signed by: bage@debian.org)
[2025-08-16] swupdate 2025.05+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-08-10] Accepted swupdate 2025.05+dfsg-2 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
[2025-07-23] Accepted swupdate 2024.12.1+dfsg-3~bpo12+1 (source) into stable-backports (Bastian Germann) (signed by: bage@debian.org)
[2025-07-20] swupdate 2024.12.1+dfsg-3 MIGRATED to testing (Debian testing watch)
[2025-07-14] Accepted swupdate 2024.12.1+dfsg-3 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)

bugs [bug history graph]

all: 2
RC: 0
I&N: 1
M&W: 1
F&P: 0
patch: 1

links

homepage
lintian (0, 3)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2025.12+dfsg-4ubuntu1