CVE-2020-27813

NameCVE-2020-27813
DescriptionAn integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2520-1, DLA-3420-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-gorilla-websocket (PTS)bullseye1.4.2-1fixed
bookworm1.5.0-2fixed
sid, trixie1.5.1-1fixed
golang-websocket (PTS)jessie0.0~git20140119-1vulnerable
stretch (security), stretch (lts), stretch1.1.0-1+deb9u1fixed
buster1.4.0-1vulnerable
buster (security)1.4.0-1+deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-gorilla-websocketsource(unstable)(not affected)
golang-websocketsourcejessie(unfixed)end-of-life
golang-websocketsourcestretch1.1.0-1+deb9u1DLA-2520-1
golang-websocketsourcebuster1.4.0-1+deb10u1DLA-3420-1
golang-websocketsource(unstable)(unfixed)

Notes

- golang-github-gorilla-websocket <not-affected> (Fixed with first upload to Debian with renamed source package)
https://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh
https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37 (v1.4.1)

Search for package or bug name: Reporting problems