Bug 989172 (CVE-2016-1000025) - VUL-0: CVE-2016-1000025: nodejs-ws: DoS due to excessively large websocket message
Summary: VUL-0: CVE-2016-1000025: nodejs-ws: DoS due to excessively large websocket me...
Status: RESOLVED WONTFIX
Alias: CVE-2016-1000025
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Joachim Gleissner
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170968/
Whiteboard: CVSSv2:NVD:CVE-2016-1000:10.0:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-15 13:39 UTC by Andreas Stieger
Modified: 2019-05-01 17:19 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-15 13:39:35 UTC 
Courtesy bug from the SUSE security team against devel:languages:nodejs/nodejs-ws:

From https://nodesecurity.io/advisories/120:

Overview: By sending an overly long websocket payload to a ws server, it is possible to crash the node process.

Remediation: Update to version 1.1.1 of ws, or if that is not possible, set the maxpayload option for the ws server - make sure the value is less than 256MB.
References

https://github.com/nodejs/node/issues/7388

devel:languages:nodejs/nodejs-ws is at 0.7.1 from May 2015.

References:
https://nodesecurity.io/advisories/120
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000025
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1000025.html
Comment 2 Swamp Workflow Management 2016-07-15 22:01:00 UTC 
bugbot adjusting priority
Comment 3 Joachim Gleissner 2017-01-10 09:39:15 UTC 
Sorry for the ignoring this for so long. I'm not really maintaining node.js, I think nobody is (packages mostly disabled in OBS).