Bug 1351230 – CVE-2016-1000025 nodejs-ws: DoS due to excessively large websocket message

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1351230 - (CVE-2016-1000025) CVE-2016-1000025 nodejs-ws: DoS due to excessively large websocket message

Summary:	CVE-2016-1000025 nodejs-ws: DoS due to excessively large websocket message

Status:	CLOSED WONTFIX

Aliases:	CVE-2016-1000025

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160624,repor...
Keywords:	Security

Depends On:	1351231 1351232 1351233
Blocks:	1351235
	Show dependency tree / graph

Reported:	2016-06-29 10:04 EDT by Andrej Nemec
Modified:	2016-07-18 14:49 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	nodejs-ws 1.1.1
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-06-29 14:24:01 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2016-06-29 10:04:31 EDT

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455"

By sending an overly long websocket payload to a ws server, it is possible to crash the node process.

External references:

https://nodesecurity.io/advisories/120

Upstream bug:

https://github.com/nodejs/node/issues/7388

Comment 2 Andrej Nemec 2016-06-29 10:05:15 EDT

Created nodejs-ws tracking bugs for this issue:

Affects: fedora-all [bug 1351231]
Affects: epel-all [bug 1351232]

Comment 3 Kurt Seifried 2016-06-29 14:24:25 EDT

Statement:

This issue affects the versions of nodejs-ws as shipped with Red Hat OpenShift Enterprise 2. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 4 Fedora Update System 2016-07-09 19:52:41 EDT

nodejs-ws-1.1.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-07-10 01:56:48 EDT

nodejs-ws-1.1.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Andrej Nemec 2016-07-13 04:04:16 EDT

CVE assignment:

https://github.com/distributedweaknessfiling/DWF-Database/commit/5e607a0cad2769db2be5aafc4d9b1ec49bd7bbbc

Comment 7 Fedora Update System 2016-07-17 11:46:21 EDT

nodejs-ws-1.1.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-07-18 14:49:26 EDT

nodejs-ws-1.1.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.