Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-ws is vulnerable to re regex denial of service (ReDoS)
(CVE-2021-32640).
[ Impact ]
A specially crafted value of the `Sec-Websocket-Protocol` header could
be used to significantly slow down a ws server.
[ Tests ]
No change in test, it passed.
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just replace:
split(/, */)
by
split(',').map(s => s.trim())
[ Other info ]
I adapted patch from 7.4.2 to 1.1.0
Cheers,
Yadd
Reply to: