Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
From: Yadd <yadd@debian.org>
Date: Wed, 26 May 2021 12:41:30 +0200
Message-id: <[🔎] 162202569004.673592.16481724678347486126.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 989129@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-ws is vulnerable to re regex denial of service (ReDoS)
(CVE-2021-32640).

[ Impact ]
A specially crafted value of the `Sec-Websocket-Protocol` header could
be used to significantly slow down a ws server.

[ Tests ]
No change in test, it passed.

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just replace:

  split(/, */)

by

  split(',').map(s => s.trim())

[ Other info ]
I adapted patch from 7.4.2 to 1.1.0

Cheers,
Yadd

Reply to:

Follow-Ups:
- Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
  - From: Yadd <yadd@debian.org>
- Processed: Re: Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#989129: node-ws 1.1.0+ds1.e6ddaae4-5+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#989114: marked as done (nmu: haskell-lambdabot-haskell-plugins_5.3-3)
Next by Date: Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
Previous by thread: Bug#989121: marked as done (unblock: adminer/4.7.9-2)
Next by thread: Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
Index(es):
- Date
- Thread