Two security updates have been released for Debian systems: ELA-1579-1 mbedtls for Debian GNU/Linux 10 (Buster) ELTS and DLA-4373-1 libwebsockets for Debian GNU/Linux 11 (Buster) LTS. The mbedtls update fixes multiple vulnerabilities, including use-after-free issues, NULL pointer dereferences, and buffer underflows that could be exploited by attackers. The libwebsockets update addresses two specific security flaws: a use-after-free vulnerability in the WebSocket server implementation and a stack-based buffer overflow when handling DNS requests with crafted labels.

ELA-1579-1 mbedtls security update
[DLA 4373-1] libwebsockets security update

ELA-1579-1 mbedtls security update

Package : mbedtls
Version : 2.16.9-0~deb10u2 (buster)

Related CVEs :
CVE-2025-47917
CVE-2025-48965
CVE-2025-52496
CVE-2025-52497

Multiple vulnerabilities have been fixed in mbedtls, a lightweight crypto and
SSL/TLS library.

CVE-2025-47917
MbedTLS allows use-after-free in certain situations in the correctly
developed applications.

CVE-2025-48965
The handling of val.p and val.len in mbedtls_asn1_store_named_data was
inconsistent and allowed NULL pointer dereference. The fix for this issue
depended on fixes for two related issues in the same piece of code, which
are now also fixed.

CVE-2025-52496
A race condition in AESNI detection could occur if certain compiler
optimisations were applied, making it possible to extract an AES key from
a multithreaded program or perform a GCM forgery.

CVE-2025-52497
In mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, one-byte
heap-based buffer underflow could occur.

ELA-1579-1 mbedtls security update

[SECURITY] [DLA 4373-1] libwebsockets security update

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4373-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
November 17, 2025 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : libwebsockets
Version : 4.0.20-2+deb11u1
CVE ID : CVE-2025-11677 CVE-2025-11678
Debian Bug : 1118746 1118747

Libwebsockets (LWS) is a flexible, lightweight pure C library for
implementing modern network protocols easily with a tiny footprint,
using a nonblocking event loop.

CVE-2025-11677

Use After Free in WebSocket server implementation in
lws_handshake_server in warmcat libwebsockets may allow an attacker,
in specific configurations where the user provides a callback
function that handles LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, to achieve
denial of service.

CVE-2025-11678

Stack-based Buffer Overflow in lws_adns_parse_label in warmcat
libwebsockets allows, when the LWS_WITH_SYS_ASYNC_DNS flag is
enabled during compilation, to overflow the label_stack, when the
attacker is able to sniff a DNS request in order to craft a response
with a matching ID containing a label longer than the maximum.

For Debian 11 bullseye, these problems have been fixed in version
4.0.20-2+deb11u1.

We recommend that you upgrade your libwebsockets packages.

For the detailed security status of libwebsockets please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libwebsockets

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS