CVE-2020-13962
First published: Tue Jun 09 2020(Updated: )
Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/QT | <5.12.9 | 5.12.9 |
| redhat/QT | <5.14.3 | 5.14.3 |
| redhat/QT | <5.15.0 | 5.15.0 |
| Mumble Mumble | =1.3.0 | |
| Qt Qt | >=5.12.2<5.12.9 | |
| Qt Qt | >=5.13.0<=5.13.2 | |
| Qt Qt | >=5.14.0<=5.14.2 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| openSUSE Leap | =15.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html
- https://bugreports.qt.io/browse/QTBUG-83450
- https://github.com/mumble-voip/mumble/issues/3679
- https://github.com/mumble-voip/mumble/pull/4032
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X6EDPIIAQPVP2CHL2CHDHJ25EECA7UE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJDBZUYMMF4R5QQKD2HTIKQU2NSKO63/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3IZY7LKJ6NAXQDFYFR4S7L5BBHYK53K/
- https://security.gentoo.org/glsa/202007-18
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1849735
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1849737
- https://codereview.qt-project.org/c/qt/qtbase/+/297149
- https://access.redhat.com/security/cve/cve-2020-13962
- https://access.redhat.com/errata/RHSA-2020:4690
- https://bugzilla.redhat.com/show_bug.cgi?id=1849734
Frequently Asked Questions
Which versions of Qt are affected by CVE-2020-13962?
Qt versions 5.12.2 through 5.14.2 are affected by CVE-2020-13962.
Are there any unofficial builds of Mumble affected by CVE-2020-13962?
Yes, unofficial builds of Mumble version 1.3.0 are affected by CVE-2020-13962.
What is the severity of CVE-2020-13962?
The severity of CVE-2020-13962 is high, with a CVSS score of 7.5.
What is the remedy for Qt versions affected by CVE-2020-13962?
To fix CVE-2020-13962 in Qt, update to version 5.12.9, 5.14.3, or 5.15.0.
Are there any referenced documents for more information about CVE-2020-13962?
Yes, you can find more information about CVE-2020-13962 in the following references: [link1](http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html), [link2](https://bugreports.qt.io/browse/QTBUG-83450), [link3](https://github.com/mumble-voip/mumble/issues/3679).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-13962
- agent/software-canonical-lookup
- vendor/mumble
- canonical/mumble mumble
- version/mumble mumble/1.3.0
- vendor/qt
- canonical/qt qt
- version/qt qt/5.12.2
- version/qt qt/5.13.0
- version/qt qt/5.13.2
- version/qt qt/5.14.0
- version/qt qt/5.14.2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.2
- package-manager/redhat