Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, During buster release, we fixed CVE-2016-10542 for node-ws. The same patch can be applied in Stretch. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index e9c9c75..a9bedaf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-ws (1.1.0+ds1.e6ddaae4-3+deb9u1) stretch; urgency=medium + + * Add patch to fix upload size to a sane value + (Closes: #927671, CVE-2016-10542) + + -- Xavier Guimard <y...@debian.org> Wed, 28 Aug 2019 17:25:11 +0200 + node-ws (1.1.0+ds1.e6ddaae4-3) unstable; urgency=medium * Team upload diff --git a/debian/patches/node-ads-120.diff b/debian/patches/node-ads-120.diff new file mode 100644 index 0000000..2862cd2 --- /dev/null +++ b/debian/patches/node-ads-120.diff @@ -0,0 +1,19 @@ +Description: Fix upload default size to a sane value +Author: Arnout Kazemier <https://github.com/3rd-Eden> +Origin: upstream, https://github.com/websockets/ws/commit/0328a8f49f004f98d2913016214e93b2fc2713bc +Bug: https://www.npmjs.com/advisories/120 +Bug-Debian: https://bugs.debian.org/927671 +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-04-21 + +--- a/lib/WebSocketServer.js ++++ b/lib/WebSocketServer.js +@@ -37,7 +37,7 @@ + disableHixie: false, + clientTracking: true, + perMessageDeflate: true, +- maxPayload: null ++ maxPayload: 100 * 1024 * 1024 + }).merge(options); + + if (!options.isDefinedAndNonNull('port') && !options.isDefinedAndNonNull('server') && !options.value.noServer) { diff --git a/debian/patches/series b/debian/patches/series index e26c50c..23aa21f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ rm-redundant-legacy-include disable-debian-failing-tests fix-failing-tests increase-test-timeout +node-ads-120.diff