[Pkg-javascript-devel] Bug#1074236: marked as done (node-ws: CVE-2024-37890)

[Debian Bug Tracking System]

Your message dated Sat, 06 Jul 2024 04:49:49 +0000
with message-id <e1spxmr-00aqyk...@fasolo.debian.org>
and subject line Bug#1074236: fixed in node-ws 8.18.0+~cs13.7.11-1
has caused the Debian Bug report #1074236,
regarding node-ws: CVE-2024-37890
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1074236: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074236
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: node-ws
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for node-ws.

CVE-2024-37890[0]:
| ws is an open source WebSocket client and server for Node.js. A
| request with a number of headers exceeding theserver.maxHeadersCount
| threshold could be used to crash a ws server. The vulnerability was
| fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876),
| ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions
| of ws, the issue can be mitigated in the following ways: 1. Reduce
| the maximum allowed length of the request headers using the --max-
| http-header-size=size and/or the maxHeaderSize options so that no
| more headers than the server.maxHeadersCount limit can be sent. 2.
| Set server.maxHeadersCount to 0 so that no limit is applied.

https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231
https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c
 (8.17.1)
https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
 (7.5.10)
https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
 (6.2.3)
https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e
 (5.2.4)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-37890
    https://www.cve.org/CVERecord?id=CVE-2024-37890

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: node-ws
Source-Version: 8.18.0+~cs13.7.11-1
Done: Yadd <y...@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-ws, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1074...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-ws package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Jul 2024 08:24:11 +0400
Source: node-ws
Architecture: source
Version: 8.18.0+~cs13.7.11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1074236
Changes:
 node-ws (8.18.0+~cs13.7.11-1) unstable; urgency=medium
 .
   * Team upload
   * New upstream version (Closes: #1074236, CVE-2024-37890)
   * Update copyright
   * Drop unneeded dependency version constraint
   * Declare compliance with policy 4.7.0
Checksums-Sha1: 
 b4635ee80cdd318f4c7f5e61294119e7e75d1a2d 2926 node-ws_8.18.0+~cs13.7.11-1.dsc
 4acfb517970853fa6574a3a6886791d04a396787 5080 
node-ws_8.18.0+~cs13.7.11.orig-types-ws.tar.gz
 f5e5882b18b8fddaf2dfb1dcd82138f7cdd22547 4904 
node-ws_8.18.0+~cs13.7.11.orig-wscat.tar.gz
 f488ed0f7242da556e9dea54e9b7d3a1b6b58dfa 86558 
node-ws_8.18.0+~cs13.7.11.orig.tar.gz
 bd0cc886f431f2a251405e7e6a2a641315a436a6 5572 
node-ws_8.18.0+~cs13.7.11-1.debian.tar.xz
Checksums-Sha256: 
 67776c89f9809015be211be4beb79502f440c207e67ff9a01701a83f50c2d49f 2926 
node-ws_8.18.0+~cs13.7.11-1.dsc
 0444855d4735b353cb1fcf0fd1cd43675b24cf678aff4165f561611e684f2fe7 5080 
node-ws_8.18.0+~cs13.7.11.orig-types-ws.tar.gz
 5241e259f451558c3b8b1717fdb92226048fe21c557a4329fad10553b6e780de 4904 
node-ws_8.18.0+~cs13.7.11.orig-wscat.tar.gz
 9a47627e799ddb73fda48ac8635465cd691af1337c737d7b799c9c94f8a4efac 86558 
node-ws_8.18.0+~cs13.7.11.orig.tar.gz
 e07c02fdf1e3aeed2d0bb45de812fea8d6ddcdd326826a9dcd4c7680641abbc5 5572 
node-ws_8.18.0+~cs13.7.11-1.debian.tar.xz
Files: 
 b171786dfc4eba572074dd738fedf270 2926 javascript optional 
node-ws_8.18.0+~cs13.7.11-1.dsc
 e56ee04e16d196badf7dffab775ffdbd 5080 javascript optional 
node-ws_8.18.0+~cs13.7.11.orig-types-ws.tar.gz
 a69c89b13b8d9709b0f9ce568e516dd0 4904 javascript optional 
node-ws_8.18.0+~cs13.7.11.orig-wscat.tar.gz
 47cf65df97c54dce1ed020cecd45e93d 86558 javascript optional 
node-ws_8.18.0+~cs13.7.11.orig.tar.gz
 87916aab85ab708488385222d95a4c6b 5572 javascript optional 
node-ws_8.18.0+~cs13.7.11-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmaIyDsACgkQ9tdMp8mZ
7uk/Zg/+LcmtK2x62hvieSyC6VCYelkQxodl3K6eMWTcyWziwRcxKU09/wPOTAC5
YS2tN6FT0SDnJ4Mox9LMxW4DT4FiLcLw1r+YbMVv98ucq9krGkSr8Or0L3YM529t
rtEBCraW1DisuE3DeJa+NvD3zzFtGc2SA8CvdNMahG/88ucU5XaqtNsMmTcn1zl9
CdKVqxQz8+Ko7PysA7NUzf3ECF6C80fy2LuodRuPUuEEtVt4jSu+PPIYFqYdr8et
outnXsiNj/zPgBWxsCg9MxOdxGKYlDRxVvW1cYe3mBGn+q2TCqQ47Bj0gbGcRf59
br+jYyxCbbC/AGCaxU06Ua2FUV1I96sKFaZprr3uo10moUCvp2Gnc4RBwr0QZYw2
qANUq8LHI97pNJWWINvSJdXcY1wZeCskHX+0eZkoWYTTnoJzdgaYpLutZJ3D+Cy6
Wac5ubqzJXg8LQyoZzKNv6bmWOtC0shypIHxwvOTfGtDhTCo3pI6eGj3PqhodhWO
/55PCNuh07FyEdUQIH5acXEbyOCIBsqmGpBKwSvPkro64HB1liJhoxlPxAupGE2s
p/sQblZRa5uLB21uFNkVt5py3650q2xUEuL8eDdYsra/a141iab8rwCWL3D45fpl
URcMcNZBzbzpRrb9i4k3V6xNel33pzWxnbE8rxegRKp5Vj8WwSw=
=XN1p
-----END PGP SIGNATURE-----

pgpgOnO31V2iU.pgp
Description: PGP signature

--- End Message ---

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel