Bug#927683: unblock: node-ws/1.1.0+ds1.e6ddaae4-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-ws
Hi all,
node-ws is vulnerable to DOS attack (#927671, CVE-2016-10542). I added
this very simple patch:
--- a/lib/WebSocketServer.js
+++ b/lib/WebSocketServer.js
@@ -37,7 +37,7 @@
disableHixie: false,
clientTracking: true,
perMessageDeflate: true,
- maxPayload: null
+ maxPayload: 100 * 1024 * 1024
}).merge(options);
if (!options.isDefinedAndNonNull('port') && !options.isDefinedAndNonNull('server') && !options.value.noServer) {
Full changes:
* Add upstream/metadata
* Declare compliance with policy 4.3.0
* Add patch to fix upload size to a sane value
(Closes: #927671, CVE-2016-10542)
Reverse-dependencies: node-flashproxy which has no reverse dependencies.
Since patch is trivial, I think it is low risky to unblock node-ws.
Cheers,
Xavier
unblock node-ws/1.1.0+ds1.e6ddaae4-5
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'testing-proposed-updates'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 0322f4c..d8d3387 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-ws (1.1.0+ds1.e6ddaae4-5) unstable; urgency=medium
+
+ * Add upstream/metadata
+ * Declare compliance with policy 4.3.0
+ * Add patch to fix upload size to a sane value
+ (Closes: #927671, CVE-2016-10542)
+
+ -- Xavier Guimard <yadd@debian.org> Sun, 21 Apr 2019 08:58:55 +0200
+
node-ws (1.1.0+ds1.e6ddaae4-4) unstable; urgency=medium
* Priority: optional
diff --git a/debian/control b/debian/control
index 9d70aba..52806c2 100644
--- a/debian/control
+++ b/debian/control
@@ -16,7 +16,7 @@ Build-Depends:
node-gyp (>= 3.8.0-2),
node-should,
node-tinycolor
-Standards-Version: 3.9.8
+Standards-Version: 4.3.0
Homepage: https://github.com/websockets/ws
Vcs-Browser: https://salsa.debian.org/js-team/node-ws
Vcs-Git: https://salsa.debian.org/js-team/node-ws.git
diff --git a/debian/patches/node-ads-120.diff b/debian/patches/node-ads-120.diff
new file mode 100644
index 0000000..2862cd2
--- /dev/null
+++ b/debian/patches/node-ads-120.diff
@@ -0,0 +1,19 @@
+Description: Fix upload default size to a sane value
+Author: Arnout Kazemier <https://github.com/3rd-Eden>
+Origin: upstream, https://github.com/websockets/ws/commit/0328a8f49f004f98d2913016214e93b2fc2713bc
+Bug: https://www.npmjs.com/advisories/120
+Bug-Debian: https://bugs.debian.org/927671
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-04-21
+
+--- a/lib/WebSocketServer.js
++++ b/lib/WebSocketServer.js
+@@ -37,7 +37,7 @@
+ disableHixie: false,
+ clientTracking: true,
+ perMessageDeflate: true,
+- maxPayload: null
++ maxPayload: 100 * 1024 * 1024
+ }).merge(options);
+
+ if (!options.isDefinedAndNonNull('port') && !options.isDefinedAndNonNull('server') && !options.value.noServer) {
diff --git a/debian/patches/series b/debian/patches/series
index 2595765..0556eb7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ rm-redundant-legacy-include
disable-debian-failing-tests
fix-failing-tests
increase-test-timeout
+node-ads-120.diff
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..a6aa381
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/websockets/ws/issues
+Contact: https://github.com/websockets/ws/issues
+Name: ws
+Repository: https://github.com/websockets/ws.git
+Repository-Browse: https://github.com/websockets/ws
Reply to: