Your message dated Sat, 20 Jun 2026 14:34:54 +0000
with message-id <[email protected]>
and subject line Bug#1140429: fixed in node-ws 8.21.0+~cs14.19.1-1
has caused the Debian Bug report #1140429,
regarding node-ws: CVE-2026-48779
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140429
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-ws
Version: 8.20.1+~cs14.19.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-ws.
CVE-2026-48779[0]:
| ws is an open source WebSocket client and server for Node.js. All
| versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up
| to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are
| affected by a memory exhaustion DoS vulnerability. A peer can send a
| high volume of exceptionally small fragments and data chunks, with
| modest network traffic, to force the remote peer into allocating and
| holding structural wrappers that consume far more memory than the
| default documented message-size limit, leading to process
| termination due to OOM. This issue has been fixed in versions 5.2.5,
| 6.2.4, 7.5.11, and 8.21.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-48779
https://www.cve.org/CVERecord?id=CVE-2026-48779
[1] https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-ws
Source-Version: 8.21.0+~cs14.19.1-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-ws, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-ws package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 20 Jun 2026 12:05:12 +0200
Source: node-ws
Architecture: source
Version: 8.21.0+~cs14.19.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1140429
Changes:
node-ws (8.21.0+~cs14.19.1-1) unstable; urgency=medium
.
* Team upload
* New upstream version (Closes: #1140429, CVE-2026-48779)
Checksums-Sha1:
27a3158e3d375b125183637c75ff1b4e9ee85bb3 2925 node-ws_8.21.0+~cs14.19.1-1.dsc
48464e4bf2ddfd17db13d845467f6070ffea4aa9 6013
node-ws_8.21.0+~cs14.19.1.orig-types-ws.tar.gz
4e0d6933802ccb18f663fd109c9e93a035859add 5016
node-ws_8.21.0+~cs14.19.1.orig-wscat.tar.gz
2e1bc02c0d0864d905acb5c42fb4604937e29003 88489
node-ws_8.21.0+~cs14.19.1.orig.tar.gz
6ce017477fce757e4caa90833493ac379dd57943 5412
node-ws_8.21.0+~cs14.19.1-1.debian.tar.xz
Checksums-Sha256:
68aabda52c07c190c45bd33c5eca11a1ba9011c94f5192932c96bd232a222a2c 2925
node-ws_8.21.0+~cs14.19.1-1.dsc
dc2763952a24bf15dc920830a2d2884c23bccc08a853e8556e34771401254fa5 6013
node-ws_8.21.0+~cs14.19.1.orig-types-ws.tar.gz
a779225d92fcceade8db9831b0f9f0830b2b20216e79f5fd303941817a267fe4 5016
node-ws_8.21.0+~cs14.19.1.orig-wscat.tar.gz
1f833d210c2630d66599bc903ce830d3432b12647c6403af92418b4be79e1cb8 88489
node-ws_8.21.0+~cs14.19.1.orig.tar.gz
efbe396e86e6cbab680f8e750696bad6b33f4f4c25875117792fc44350c68387 5412
node-ws_8.21.0+~cs14.19.1-1.debian.tar.xz
Files:
cca5cce6a55e8b1676f5db6f51716188 2925 javascript optional
node-ws_8.21.0+~cs14.19.1-1.dsc
b36d8736035a3f5c7b2fb62b2fbeca1a 6013 javascript optional
node-ws_8.21.0+~cs14.19.1.orig-types-ws.tar.gz
1ffc9b580c625f627939368a5c535c8a 5016 javascript optional
node-ws_8.21.0+~cs14.19.1.orig-wscat.tar.gz
2d40bde8c611da28258a8f9fb8a209b6 88489 javascript optional
node-ws_8.21.0+~cs14.19.1.orig.tar.gz
fd586b537b57b27b6ad60cda91d692cb 5412 javascript optional
node-ws_8.21.0+~cs14.19.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmo2nHMACgkQ9tdMp8mZ
7ukeQw/+MYYwyDAxR45iDoBMmUfvlEadjKf4lDp2vZG+q42S52bNKC7fT3DWXE+i
428C8lW63lTY3zEo4zUhK+C27GjkcuO4DDyXj4KAiEGLxK2FAb15Ak7uo8bF74Kd
Q/PasSFUOx4f+BPUMKU7qez2gr3iwpWPr5aNi+HpF6/s9M3Vj7kHV2mHdA/4V6UK
POGzMcnuOqe5202/hfnIi2zs6yXdsloSQR0ByLPesZPQNkILjSID5WBFDwIoAsZz
0hc1ye2qhwpLzEvkgEQrpH05oH+t0AYuJeJ6yuqpiN3u+WlB2fNxLYM/4R9PeI3B
BCGHR+BX7wuCKzMKSvxmz8h1CiiPLOaw+sRFNUN+5rK6klGEVFlo4hcwHylrDIb1
N86ButnV61YoeSxnWGA/s3Y6lg0TqAWnr50KxNNP8BkcjEFTrqakUtzqVzkfYAQd
G6rRETGrbauZNslmotJV0J7yajQAF2Cr5ybG8JNtMYyxEMxGxMhEdmNlDyanzXtD
uG4ziusiT8RiowQebKUbNaJPdVH7gcWgvucKTQYtk7u6rggez7zHvRrM5Mzb2f5f
7B4LmwMUCnAp2GTk2R44fi+LCTXNSafI38mlfVNadlsl2JGIhX48Vi4iBgq41n5D
iCWyjfp9Iwnnq92q+IXem+3qQ9VhuQ9+7LUsVY1cZaqa4GsZSbc=
=nRte
-----END PGP SIGNATURE-----
pgpkPKltZb3s8.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
