Hi,

The following vulnerability was published for node-ws.

CVE-2024-37890[0]:
| ws is an open source WebSocket client and server for Node.js. A
| request with a number of headers exceeding theserver.maxHeadersCount
| threshold could be used to crash a ws server. The vulnerability was
| fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876),
| ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions
| of ws, the issue can be mitigated in the following ways: 1. Reduce
| the maximum allowed length of the request headers using the --max-
| http-header-size=size and/or the maxHeaderSize options so that no
| more headers than the server.maxHeadersCount limit can be sent. 2.
| Set server.maxHeadersCount to 0 so that no limit is applied.

https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231
https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c (8.17.1)
https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f (7.5.10)
https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63 (6.2.3)
https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e (5.2.4)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-37890
https://www.cve.org/CVERecord?id=CVE-2024-37890

Please adjust the affected versions in the BTS as needed.

Hello,

Bug #1074236 in node-ws reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/node-ws/-/commit/cbaa320f1712d7e46463fdebd26c133c247c9530

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1074236

Hello,

Bug #1074236 in node-ws reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/node-ws/-/commit/cbaa320f1712d7e46463fdebd26c133c247c9530

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1074236

We believe that the bug you reported is fixed in the latest version of
node-ws, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1074236@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-ws package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 06 Jul 2024 08:24:11 +0400
Source: node-ws
Architecture: source
Version: 8.18.0+~cs13.7.11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1074236
Changes:
 node-ws (8.18.0+~cs13.7.11-1) unstable; urgency=medium
 .
   * Team upload
   * New upstream version (Closes: #1074236, CVE-2024-37890)
   * Update copyright
   * Drop unneeded dependency version constraint
   * Declare compliance with policy 4.7.0
Checksums-Sha1:
 b4635ee80cdd318f4c7f5e61294119e7e75d1a2d 2926 node-ws_8.18.0+~cs13.7.11-1.dsc
 4acfb517970853fa6574a3a6886791d04a396787 5080 node-ws_8.18.0+~cs13.7.11.orig-types-ws.tar.gz
 f5e5882b18b8fddaf2dfb1dcd82138f7cdd22547 4904 node-ws_8.18.0+~cs13.7.11.orig-wscat.tar.gz
 f488ed0f7242da556e9dea54e9b7d3a1b6b58dfa 86558 node-ws_8.18.0+~cs13.7.11.orig.tar.gz
 bd0cc886f431f2a251405e7e6a2a641315a436a6 5572 node-ws_8.18.0+~cs13.7.11-1.debian.tar.xz
Checksums-Sha256:
 67776c89f9809015be211be4beb79502f440c207e67ff9a01701a83f50c2d49f 2926 node-ws_8.18.0+~cs13.7.11-1.dsc
 0444855d4735b353cb1fcf0fd1cd43675b24cf678aff4165f561611e684f2fe7 5080 node-ws_8.18.0+~cs13.7.11.orig-types-ws.tar.gz
 5241e259f451558c3b8b1717fdb92226048fe21c557a4329fad10553b6e780de 4904 node-ws_8.18.0+~cs13.7.11.orig-wscat.tar.gz
 9a47627e799ddb73fda48ac8635465cd691af1337c737d7b799c9c94f8a4efac 86558 node-ws_8.18.0+~cs13.7.11.orig.tar.gz
 e07c02fdf1e3aeed2d0bb45de812fea8d6ddcdd326826a9dcd4c7680641abbc5 5572 node-ws_8.18.0+~cs13.7.11-1.debian.tar.xz
Files:
 b171786dfc4eba572074dd738fedf270 2926 javascript optional node-ws_8.18.0+~cs13.7.11-1.dsc
 e56ee04e16d196badf7dffab775ffdbd 5080 javascript optional node-ws_8.18.0+~cs13.7.11.orig-types-ws.tar.gz
 a69c89b13b8d9709b0f9ce568e516dd0 4904 javascript optional node-ws_8.18.0+~cs13.7.11.orig-wscat.tar.gz
 47cf65df97c54dce1ed020cecd45e93d 86558 javascript optional node-ws_8.18.0+~cs13.7.11.orig.tar.gz
 87916aab85ab708488385222d95a4c6b 5572 javascript optional node-ws_8.18.0+~cs13.7.11-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmaIyDsACgkQ9tdMp8mZ
7uk/Zg/+LcmtK2x62hvieSyC6VCYelkQxodl3K6eMWTcyWziwRcxKU09/wPOTAC5
YS2tN6FT0SDnJ4Mox9LMxW4DT4FiLcLw1r+YbMVv98ucq9krGkSr8Or0L3YM529t
rtEBCraW1DisuE3DeJa+NvD3zzFtGc2SA8CvdNMahG/88ucU5XaqtNsMmTcn1zl9
CdKVqxQz8+Ko7PysA7NUzf3ECF6C80fy2LuodRuPUuEEtVt4jSu+PPIYFqYdr8et
outnXsiNj/zPgBWxsCg9MxOdxGKYlDRxVvW1cYe3mBGn+q2TCqQ47Bj0gbGcRf59
br+jYyxCbbC/AGCaxU06Ua2FUV1I96sKFaZprr3uo10moUCvp2Gnc4RBwr0QZYw2
qANUq8LHI97pNJWWINvSJdXcY1wZeCskHX+0eZkoWYTTnoJzdgaYpLutZJ3D+Cy6
Wac5ubqzJXg8LQyoZzKNv6bmWOtC0shypIHxwvOTfGtDhTCo3pI6eGj3PqhodhWO
/55PCNuh07FyEdUQIH5acXEbyOCIBsqmGpBKwSvPkro64HB1liJhoxlPxAupGE2s
p/sQblZRa5uLB21uFNkVt5py3650q2xUEuL8eDdYsra/a141iab8rwCWL3D45fpl
URcMcNZBzbzpRrb9i4k3V6xNel33pzWxnbE8rxegRKp5Vj8WwSw=
=XN1p
-----END PGP SIGNATURE-----