On 2025-07-19 04:59, Sylvain Beucler wrote:
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender
and know the content is safe.
Hello,
Thanks for proposing a patch.
We usually don't publish a DLA for a single, minor CVE fix. In addition,
we try to be consistent with the other dists in Debian, but this CVE
isn't fixed in stable.
You seem to confuse stable (bookworm) and LTS (bullseye) in your e-mail.
Please make sure you're targeting the right release.
Overall I would recommend to first discuss the situation with the
package maintainers (Debian Javascript Team).
Thanks a lot for the great suggestion, will do.
Do you have a recommended CVE list which you think Debian contributors
can work on?
Much appreciated,
-Yang
Cheers!
Sylvain Beucler
Debian LTS Team
On 26/06/2025 19:45, Yang Wang wrote:
Package: node-ws
Version: 7.4.2+~cs18.0.8-3
Severity: normal
Tags: patch, security
X-Debbugs-Cc: debian-...@lists.debian.org
Control: found -1 7.4.2+~cs18.0.8-3
Dear Maintainer,
The package `node-ws` in Debian bookworm is affected by
CVE-2024-37890, a denial-of-service vulnerability (uncaught TypeError
in websocket-server.js when handling crafted HTTP requests). See:
https://security-tracker.debian.org/tracker/CVE-2024-37890
https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
I have prepared a patch that backports the upstream fix to bookworm.
The fixed package is versioned as:
7.4.2+~cs18.0.8-3+deb11u1
The patch is attached as a debdiff against the current bookworm
version. I have tested that the patched package no longer crashes
with the provided PoC.
Please consider applying this patch to stable (bookworm).
Best regards,
Yang Wang
<yang.w...@windriver.com>
-- System Information:
Debian Release: 11.11
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.8.0-60-generic (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL
set to C), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages node-ws depends on:
ii node-agent-base 6.0.2-2
ii node-commander 6.2.1-2
ii node-debug 4.3.1+~cs4.1.5-1
ii node-read 1.0.7-2
ii node-tinycolor 0.0.1-2
ii nodejs 12.22.12~dfsg-1~deb11u4
node-ws recommends no packages.
node-ws suggests no packages.
-- no debconf information
