[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1113761: marked as done (trixie-pu: package python-eventlet/0.39.1-2 CVE-2025-58068)

Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id <736c7150dc08501cc89945035c406eaf9688e144.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1113761,
regarding trixie-pu: package python-eventlet/0.39.1-2 CVE-2025-58068
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1113761: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113761
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: python-eventlet@packages.debian.org
Control: affects -1 + src:python-eventlet
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

[ Reason ]
I'd like to fix:
https://bugs.debian.org/1112515

aka: CVE-2025-58068

[ Impact ]
Potential HTTP request smuggling.

[ Tests ]
I've set this already in production in my deployment.

[ Risks ]
Trivial patch, that's discarding chunk's trailer.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Please allow me to upload python-eventlet/0.39.1-2+deb13u1
as per debdiff.

Cheers,

Thomas Goirand (zigo)

diff -Nru python-eventlet-0.39.1/debian/changelog python-eventlet-0.39.1/debian/changelog
--- python-eventlet-0.39.1/debian/changelog	2025-04-01 16:44:12.000000000 +0200
+++ python-eventlet-0.39.1/debian/changelog	2025-09-02 10:43:30.000000000 +0200
@@ -1,3 +1,15 @@
+python-eventlet (0.39.1-2+deb13u1) trixie; urgency=medium
+
+  * CVE-2025-58068: Eventlet is a concurrent networking library for Python.
+    Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP
+    Request Smuggling due to improper handling of HTTP trailer sections. This
+    vulnerability could enable attackers to, bypass front-end security
+    controls, launch targeted attacks against active site users, and poison web
+    caches. Applied upstream patch (Closes: #1112515):
+    - Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 02 Sep 2025 10:43:30 +0200
+
 python-eventlet (0.39.1-2) unstable; urgency=medium
 
   * Add test_send_1k_req_rep to blacklist, failing on armel.
diff -Nru python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
--- python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch	2025-09-02 10:43:30.000000000 +0200
@@ -0,0 +1,37 @@
+From: sebsrt <s@sebsrt.xyz>
+Date: Mon, 11 Aug 2025 11:46:28 +0200
+Description: CVE-2025-58068: Fix request smuggling vulnerability by discarding trailers (#1062)
+ The WSGI parser is vulnerable to a request smuggling vulnerability due
+ to not parsing trailer sections of an HTTP request. This patch fix that
+ by discarding trailers.
+Origin: upstream, https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb.patch
+Bug: https://github.com/eventlet/eventlet/pull/1062
+Bug-Debian: https://bugs.debian.org/1112515
+Last-Update: 2025-08-31
+
+diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py
+index 92d031797..b6b4d0ce8 100644
+--- a/eventlet/wsgi.py
++++ b/eventlet/wsgi.py
+@@ -152,6 +152,12 @@ def _do_read(self, reader, length=None):
+             read = b''
+         self.position += len(read)
+         return read
++    
++    def _discard_trailers(self, rfile):
++        while True:
++            line = rfile.readline()
++            if not line or line in (b'\r\n', b'\n', b''):
++                break
+ 
+     def _chunked_read(self, rfile, length=None, use_readline=False):
+         if self.should_send_hundred_continue:
+@@ -202,7 +208,7 @@ def _chunked_read(self, rfile, length=None, use_readline=False):
+                         raise ChunkReadError(err)
+                     self.position = 0
+                     if self.chunk_length == 0:
+-                        rfile.readline()
++                        self._discard_trailers(rfile)
+         except greenio.SSL.ZeroReturnError:
+             pass
+         return b''.join(response)
diff -Nru python-eventlet-0.39.1/debian/patches/series python-eventlet-0.39.1/debian/patches/series
--- python-eventlet-0.39.1/debian/patches/series	2025-04-01 16:44:12.000000000 +0200
+++ python-eventlet-0.39.1/debian/patches/series	2025-09-02 10:43:30.000000000 +0200
@@ -15,3 +15,4 @@
 #use-raw-strings-to-avoid-warnings.patch
 install-all-files.patch
 fix-detecting-version.patch
+CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.2

Hi,

The updates referenced in each of these bugs were included in today's
13.2 trixie point release.

Regards,

Adam

--- End Message ---
Reply to: