Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-ws Hi all, node-ws is vulnerable to DOS attack (#927671, CVE-2016-10542). I added this very simple patch: --- a/lib/WebSocketServer.js +++ b/lib/WebSocketServer.js @@ -37,7 +37,7 @@ disableHixie: false, clientTracking: true, perMessageDeflate: true, - maxPayload: null + maxPayload: 100 * 1024 * 1024 }).merge(options); if (!options.isDefinedAndNonNull('port') && !options.isDefinedAndNonNull('server') && !options.value.noServer) { Full changes: * Add upstream/metadata * Declare compliance with policy 4.3.0 * Add patch to fix upload size to a sane value (Closes: #927671, CVE-2016-10542) Reverse-dependencies: node-flashproxy which has no reverse dependencies. Since patch is trivial, I think it is low risky to unblock node-ws. Cheers, Xavier unblock node-ws/1.1.0+ds1.e6ddaae4-5 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'testing-proposed-updates'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index 0322f4c..d8d3387 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +node-ws (1.1.0+ds1.e6ddaae4-5) unstable; urgency=medium + + * Add upstream/metadata + * Declare compliance with policy 4.3.0 + * Add patch to fix upload size to a sane value + (Closes: #927671, CVE-2016-10542) + + -- Xavier Guimard <y...@debian.org> Sun, 21 Apr 2019 08:58:55 +0200 + node-ws (1.1.0+ds1.e6ddaae4-4) unstable; urgency=medium * Priority: optional diff --git a/debian/control b/debian/control index 9d70aba..52806c2 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,7 @@ Build-Depends: node-gyp (>= 3.8.0-2), node-should, node-tinycolor -Standards-Version: 3.9.8 +Standards-Version: 4.3.0 Homepage: https://github.com/websockets/ws Vcs-Browser: https://salsa.debian.org/js-team/node-ws Vcs-Git: https://salsa.debian.org/js-team/node-ws.git diff --git a/debian/patches/node-ads-120.diff b/debian/patches/node-ads-120.diff new file mode 100644 index 0000000..2862cd2 --- /dev/null +++ b/debian/patches/node-ads-120.diff @@ -0,0 +1,19 @@ +Description: Fix upload default size to a sane value +Author: Arnout Kazemier <https://github.com/3rd-Eden> +Origin: upstream, https://github.com/websockets/ws/commit/0328a8f49f004f98d2913016214e93b2fc2713bc +Bug: https://www.npmjs.com/advisories/120 +Bug-Debian: https://bugs.debian.org/927671 +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-04-21 + +--- a/lib/WebSocketServer.js ++++ b/lib/WebSocketServer.js +@@ -37,7 +37,7 @@ + disableHixie: false, + clientTracking: true, + perMessageDeflate: true, +- maxPayload: null ++ maxPayload: 100 * 1024 * 1024 + }).merge(options); + + if (!options.isDefinedAndNonNull('port') && !options.isDefinedAndNonNull('server') && !options.value.noServer) { diff --git a/debian/patches/series b/debian/patches/series index 2595765..0556eb7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ rm-redundant-legacy-include disable-debian-failing-tests fix-failing-tests increase-test-timeout +node-ads-120.diff diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..a6aa381 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,7 @@ +--- +Archive: GitHub +Bug-Database: https://github.com/websockets/ws/issues +Contact: https://github.com/websockets/ws/issues +Name: ws +Repository: https://github.com/websockets/ws.git +Repository-Browse: https://github.com/websockets/ws