Hello, Thanks for proposing a patch.
We usually don't publish a DLA for a single, minor CVE fix. In addition, we try to be consistent with the other dists in Debian, but this CVE isn't fixed in stable.
You seem to confuse stable (bookworm) and LTS (bullseye) in your e-mail. Please make sure you're targeting the right release.
Overall I would recommend to first discuss the situation with the package maintainers (Debian Javascript Team).
Cheers! Sylvain Beucler Debian LTS Team On 26/06/2025 19:45, Yang Wang wrote:
Package: node-ws Version: 7.4.2+~cs18.0.8-3 Severity: normal Tags: patch, security X-Debbugs-Cc: [email protected] Control: found -1 7.4.2+~cs18.0.8-3 Dear Maintainer, The package `node-ws` in Debian bookworm is affected by CVE-2024-37890, a denial-of-service vulnerability (uncaught TypeError in websocket-server.js when handling crafted HTTP requests). See: https://security-tracker.debian.org/tracker/CVE-2024-37890 https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f I have prepared a patch that backports the upstream fix to bookworm. The fixed package is versioned as: 7.4.2+~cs18.0.8-3+deb11u1 The patch is attached as a debdiff against the current bookworm version. I have tested that the patched package no longer crashes with the provided PoC. Please consider applying this patch to stable (bookworm). Best regards, Yang Wang <[email protected]> -- System Information: Debian Release: 11.11 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.8.0-60-generic (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages node-ws depends on: ii node-agent-base 6.0.2-2 ii node-commander 6.2.1-2 ii node-debug 4.3.1+~cs4.1.5-1 ii node-read 1.0.7-2 ii node-tinycolor 0.0.1-2 ii nodejs 12.22.12~dfsg-1~deb11u4 node-ws recommends no packages. node-ws suggests no packages. -- no debconf information
-- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
