[Pkg-javascript-devel] Bug#1108355: node-ws: please fix CVE-2024-37890 in bullseye (DoS via uncaught exception)
Sylvain Beucler
beuc at beuc.net
Sat Jul 19 09:59:29 BST 2025
Hello,
Thanks for proposing a patch.
We usually don't publish a DLA for a single, minor CVE fix. In addition,
we try to be consistent with the other dists in Debian, but this CVE
isn't fixed in stable.
You seem to confuse stable (bookworm) and LTS (bullseye) in your e-mail.
Please make sure you're targeting the right release.
Overall I would recommend to first discuss the situation with the
package maintainers (Debian Javascript Team).
Cheers!
Sylvain Beucler
Debian LTS Team
On 26/06/2025 19:45, Yang Wang wrote:
> Package: node-ws
> Version: 7.4.2+~cs18.0.8-3
> Severity: normal
> Tags: patch, security
> X-Debbugs-Cc: debian-lts at lists.debian.org
> Control: found -1 7.4.2+~cs18.0.8-3
>
> Dear Maintainer,
>
> The package `node-ws` in Debian bookworm is affected by CVE-2024-37890, a denial-of-service vulnerability (uncaught TypeError in websocket-server.js when handling crafted HTTP requests). See:
> https://security-tracker.debian.org/tracker/CVE-2024-37890
> https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f
>
> I have prepared a patch that backports the upstream fix to bookworm. The fixed package is versioned as:
>
> 7.4.2+~cs18.0.8-3+deb11u1
>
> The patch is attached as a debdiff against the current bookworm version. I have tested that the patched package no longer crashes with the provided PoC.
>
> Please consider applying this patch to stable (bookworm).
>
> Best regards,
> Yang Wang
> <yang.wang at windriver.com>
>
> -- System Information:
> Debian Release: 11.11
> APT prefers oldstable
> APT policy: (500, 'oldstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 6.8.0-60-generic (SMP w/8 CPU threads; PREEMPT)
> Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C), LANGUAGE not set
> Shell: /bin/sh linked to /bin/dash
> Init: unable to detect
>
> Versions of packages node-ws depends on:
> ii node-agent-base 6.0.2-2
> ii node-commander 6.2.1-2
> ii node-debug 4.3.1+~cs4.1.5-1
> ii node-read 1.0.7-2
> ii node-tinycolor 0.0.1-2
> ii nodejs 12.22.12~dfsg-1~deb11u4
>
> node-ws recommends no packages.
>
> node-ws suggests no packages.
>
> -- no debconf information
More information about the Pkg-javascript-devel
mailing list