Hi all, I'm the maintainer of Faye (https://github.com/faye), a collection of WebSocket packages for Node.js and Ruby. I recently discovered a denial-of-service bug in the npm package `permessage-deflate`, whereby user input that adheres to the RFC can crash a WebSocket server by causing it to pass input that recent releases of zlib packaged with Node.js no longer accept.
A full write-up of this issue is available here: https://github.com/faye/permessage-deflate-node/wiki/Denial-of-service-caused-by-invalid-windowBits-parameter-passed-to-zlib.createDeflateRaw() The issue may also affect Ruby users if their Ruby is dynamically linked to a zlib release that includes the relevant changes, so I have pre-emptively issued a patch for the Ruby version. We recommended you install the following packages if you are affected by this issue: For npm: - permessage-deflate 0.1.6 - websocket-extensions 0.1.2 For Ruby: - permessage_deflate 0.1.4 -- James Coglan http://jcoglan.com -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CALm1c-ERV%2Bv5Nn2jx-OxOabqZ7Qi93meVshAnGp9xKWDQk2U%3DQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
