Bug#935976: stretch-pu: package node-ws/1.1.0+ds1.e6ddaae4-3+deb9u1

2019-08-29 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2019-08-28 at 17:29 +0200, Xavier Guimard wrote:
> During buster release, we fixed CVE-2016-10542 for node-ws. The same
> patch can be applied in Stretch.
> 

Please go ahead.

Regards,

Adam

Bug#935976: stretch-pu: package node-ws/1.1.0+ds1.e6ddaae4-3+deb9u1

2019-08-28 Thread Xavier Guimard 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

During buster release, we fixed CVE-2016-10542 for node-ws. The same
patch can be applied in Stretch.

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index e9c9c75..a9bedaf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-ws (1.1.0+ds1.e6ddaae4-3+deb9u1) stretch; urgency=medium
+
+  * Add patch to fix upload size to a sane value
+(Closes: #927671, CVE-2016-10542)
+
+ -- Xavier Guimard   Wed, 28 Aug 2019 17:25:11 +0200
+
 node-ws (1.1.0+ds1.e6ddaae4-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/node-ads-120.diff b/debian/patches/node-ads-120.diff
new file mode 100644
index 000..2862cd2
--- /dev/null
+++ b/debian/patches/node-ads-120.diff
@@ -0,0 +1,19 @@
+Description: Fix upload default size to a sane value
+Author: Arnout Kazemier 
+Origin: upstream, 
https://github.com/websockets/ws/commit/0328a8f49f004f98d2913016214e93b2fc2713bc
+Bug: https://www.npmjs.com/advisories/120
+Bug-Debian: https://bugs.debian.org/927671
+Reviewed-By: Xavier Guimard 
+Last-Update: 2019-04-21
+
+--- a/lib/WebSocketServer.js
 b/lib/WebSocketServer.js
+@@ -37,7 +37,7 @@
+ disableHixie: false,
+ clientTracking: true,
+ perMessageDeflate: true,
+-maxPayload: null
++maxPayload: 100 * 1024 * 1024
+   }).merge(options);
+ 
+   if (!options.isDefinedAndNonNull('port') && 
!options.isDefinedAndNonNull('server') && !options.value.noServer) {
diff --git a/debian/patches/series b/debian/patches/series
index e26c50c..23aa21f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ rm-redundant-legacy-include
 disable-debian-failing-tests
 fix-failing-tests
 increase-test-timeout
+node-ads-120.diff