Dear Maintainer,

The package `node-ws` in Debian bookworm is affected by CVE-2024-37890, a denial-of-service vulnerability (uncaught TypeError in websocket-server.js when handling crafted HTTP requests). See:
https://security-tracker.debian.org/tracker/CVE-2024-37890
https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f

I have prepared a patch that backports the upstream fix to bookworm. The fixed package is versioned as:

  7.4.2+~cs18.0.8-3+deb11u1

The patch is attached as a debdiff against the current bookworm version. I have tested that the patched package no longer crashes with the provided PoC.

Please consider applying this patch to stable (bookworm).

Best regards,
Yang Wang
<yang.wang@windriver.com>

Hello,

Thanks for proposing a patch.

We usually don't publish a DLA for a single, minor CVE fix. In addition,
we try to be consistent with the other dists in Debian, but this CVE
isn't fixed in stable.

You seem to confuse stable (bookworm) and LTS (bullseye) in your e-mail.
Please make sure you're targeting the right release.

Overall I would recommend to first discuss the situation with the
package maintainers (Debian Javascript Team).

Cheers!
Sylvain Beucler
Debian LTS Team

Thanks a lot for the great suggestion, will do.

Do you have a recommended CVE list which you think Debian contributors
can work on?

Much appreciated,
-Yang