CVE-2020-27813

NameCVE-2020-27813
DescriptionAn integer overflow vulnerability exists with the length of websocket ...
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2520-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-gorilla-websocket (PTS)sid, bookworm, bullseye1.4.2-1fixed
golang-websocket (PTS)jessie0.0~git20140119-1vulnerable
stretch1.1.0-1vulnerable
stretch (security)1.1.0-1+deb9u1fixed
buster1.4.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-gorilla-websocketsource(unstable)(not affected)
golang-websocketsourcejessie(unfixed)end-of-life
golang-websocketsourcestretch1.1.0-1+deb9u1DLA-2520-1
golang-websocketsource(unstable)(unfixed)

Notes

- golang-github-gorilla-websocket <not-affected> (Fixed with first upload to Debian with renamed source package)
https://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh
https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37 (v1.4.1)

Search for package or bug name: Reporting problems