From carnil at debian.org  Wed Nov 26 07:02:47 2025
From: carnil at debian.org (Salvatore Bonaccorso)
Date: Wed, 26 Nov 2025 08:02:47 +0100
Subject: [Debian-iot-maintainers] Bug#1121415: libcoap3: CVE-2025-65493
 CVE-2025-65494 CVE-2025-65495 CVE-2025-65496 CVE-2025-65497 CVE-2025-65498
 CVE-2025-65499 CVE-2025-65500 CVE-2025-65501
Message-ID: <176414056759.1040686.17456084307350067705.reportbug@eldamar.lan>

Source: libcoap3
Version: 4.3.5-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/obgm/libcoap/pull/1750
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for libcoap3.

CVE-2025-65493[0]:
| NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5
| allows remote attackers to cause a denial of service via a crafted
| DTLS/TLS connection that triggers BIO_get_data() to return NULL.


CVE-2025-65494[1]:
| NULL pointer dereference in get_san_or_cn_from_cert() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted X.509 certificate that
| causes sk_GENERAL_NAME_value() to return NULL.


CVE-2025-65495[2]:
| Integer signedness error in tls_verify_call_back() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted TLS certificate that causes
| i2d_X509() to return -1 and be misused as a malloc() size parameter.


CVE-2025-65496[3]:
| NULL pointer dereference in coap_dtls_generate_cookie() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted DTLS handshake that triggers
| SSL_get_SSL_CTX() to return NULL.


CVE-2025-65497[4]:
| NULL pointer dereference in coap_dtls_generate_cookie() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted DTLS handshake that triggers
| SSL_get_SSL_CTX() to return NULL.


CVE-2025-65498[5]:
| NULL pointer dereference in coap_dtls_generate_cookie() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted DTLS handshake that triggers
| SSL_get_SSL_CTX() to return NULL.


CVE-2025-65499[6]:
| Array index error in tls_verify_call_back() in src/coap_openssl.c in
| OISM libcoap 4.3.5 allows remote attackers to cause a denial of
| service via a crafted DTLS handshake that triggers
| SSL_get_ex_data_X509_STORE_CTX_idx() to return -1.


CVE-2025-65500[7]:
| NULL pointer dereference in coap_dtls_generate_cookie() in
| src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
| cause a denial of service via a crafted DTLS handshake that triggers
| SSL_get_SSL_CTX() to return NULL.


CVE-2025-65501[8]:
| Null pointer dereference in coap_dtls_info_callback() in OISM
| libcoap 4.3.5 allows remote attackers to cause a denial of service
| via a DTLS handshake where SSL_get_app_data() returns NULL.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-65493
    https://www.cve.org/CVERecord?id=CVE-2025-65493
[1] https://security-tracker.debian.org/tracker/CVE-2025-65494
    https://www.cve.org/CVERecord?id=CVE-2025-65494
[2] https://security-tracker.debian.org/tracker/CVE-2025-65495
    https://www.cve.org/CVERecord?id=CVE-2025-65495
[3] https://security-tracker.debian.org/tracker/CVE-2025-65496
    https://www.cve.org/CVERecord?id=CVE-2025-65496
[4] https://security-tracker.debian.org/tracker/CVE-2025-65497
    https://www.cve.org/CVERecord?id=CVE-2025-65497
[5] https://security-tracker.debian.org/tracker/CVE-2025-65498
    https://www.cve.org/CVERecord?id=CVE-2025-65498
[6] https://security-tracker.debian.org/tracker/CVE-2025-65499
    https://www.cve.org/CVERecord?id=CVE-2025-65499
[7] https://security-tracker.debian.org/tracker/CVE-2025-65500
    https://www.cve.org/CVERecord?id=CVE-2025-65500
[8] https://security-tracker.debian.org/tracker/CVE-2025-65501
    https://www.cve.org/CVERecord?id=CVE-2025-65501
[9] https://github.com/obgm/libcoap/pull/1750

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore