commit python-eventlet for openSUSE:Factory

Source-Sync Mon, 01 Sep 2025 08:18:26 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package python-eventlet for openSUSE:Factory 
checked in at 2025-09-01 17:17:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-eventlet (Old)
 and      /work/SRC/openSUSE:Factory/.python-eventlet.new.1977 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "python-eventlet"

Mon Sep  1 17:17:02 2025 rev:65 rq:1302189 version:0.40.3

Changes:
--------
--- /work/SRC/openSUSE:Factory/python-eventlet/python-eventlet.changes  
2025-08-08 15:10:43.521280557 +0200
+++ 
/work/SRC/openSUSE:Factory/.python-eventlet.new.1977/python-eventlet.changes    
    2025-09-01 17:17:27.713090370 +0200
@@ -1,0 +2,7 @@
+Mon Sep  1 06:01:39 UTC 2025 - John Paul Adrian Glaubitz 
<[email protected]>
+
+- Update to 0.40.3
+  * [SECURITY] Fix request smuggling vulnerability by discarding
+    trailers (#1062) (CVE-2025-58068, bsc#1248994)
+
+-------------------------------------------------------------------

Old:
----
  eventlet-0.40.2.tar.gz

New:
----
  eventlet-0.40.3.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python-eventlet.spec ++++++
--- /var/tmp/diff_new_pack.VSwHLS/_old  2025-09-01 17:17:28.233112387 +0200
+++ /var/tmp/diff_new_pack.VSwHLS/_new  2025-09-01 17:17:28.237112557 +0200
@@ -18,7 +18,7 @@
 
 %{?sle15_python_module_pythons}
 Name:           python-eventlet
-Version:        0.40.2
+Version:        0.40.3
 Release:        0
 Summary:        Concurrent networking library for Python
 License:        MIT

++++++ eventlet-0.40.2.tar.gz -> eventlet-0.40.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/eventlet-0.40.2/NEWS new/eventlet-0.40.3/NEWS
--- old/eventlet-0.40.2/NEWS    2020-02-02 01:00:00.000000000 +0100
+++ new/eventlet-0.40.3/NEWS    2020-02-02 01:00:00.000000000 +0100
@@ -1,6 +1,11 @@
 Unreleased
 ==========
 
+0.40.3
+======
+
+* [SECURITY] Fix request smuggling vulnerability by discarding trailers (#1062)
+
 0.40.2
 ======
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/eventlet-0.40.2/PKG-INFO new/eventlet-0.40.3/PKG-INFO
--- old/eventlet-0.40.2/PKG-INFO        2020-02-02 01:00:00.000000000 +0100
+++ new/eventlet-0.40.3/PKG-INFO        2020-02-02 01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: eventlet
-Version: 0.40.2
+Version: 0.40.3
 Summary: Highly concurrent networking library
 Project-URL: Homepage, https://github.com/eventlet/eventlet
 Project-URL: History, https://github.com/eventlet/eventlet/blob/master/NEWS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/eventlet-0.40.2/eventlet/_version.py 
new/eventlet-0.40.3/eventlet/_version.py
--- old/eventlet-0.40.2/eventlet/_version.py    2020-02-02 01:00:00.000000000 
+0100
+++ new/eventlet-0.40.3/eventlet/_version.py    2020-02-02 01:00:00.000000000 
+0100
@@ -1,7 +1,14 @@
 # file generated by setuptools-scm
 # don't change, don't track in version control
 
-__all__ = ["__version__", "__version_tuple__", "version", "version_tuple"]
+__all__ = [
+    "__version__",
+    "__version_tuple__",
+    "version",
+    "version_tuple",
+    "__commit_id__",
+    "commit_id",
+]
 
 TYPE_CHECKING = False
 if TYPE_CHECKING:
@@ -9,13 +16,19 @@
     from typing import Union
 
     VERSION_TUPLE = Tuple[Union[int, str], ...]
+    COMMIT_ID = Union[str, None]
 else:
     VERSION_TUPLE = object
+    COMMIT_ID = object
 
 version: str
 __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
+commit_id: COMMIT_ID
+__commit_id__: COMMIT_ID
 
-__version__ = version = '0.40.2'
-__version_tuple__ = version_tuple = (0, 40, 2)
+__version__ = version = '0.40.3'
+__version_tuple__ = version_tuple = (0, 40, 3)
+
+__commit_id__ = commit_id = None
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/eventlet-0.40.2/eventlet/wsgi.py 
new/eventlet-0.40.3/eventlet/wsgi.py
--- old/eventlet-0.40.2/eventlet/wsgi.py        2020-02-02 01:00:00.000000000 
+0100
+++ new/eventlet-0.40.3/eventlet/wsgi.py        2020-02-02 01:00:00.000000000 
+0100
@@ -152,6 +152,12 @@
             read = b''
         self.position += len(read)
         return read
+    
+    def _discard_trailers(self, rfile):
+        while True:
+            line = rfile.readline()
+            if not line or line in (b'\r\n', b'\n', b''):
+                break
 
     def _chunked_read(self, rfile, length=None, use_readline=False):
         if self.should_send_hundred_continue:
@@ -202,7 +208,7 @@
                         raise ChunkReadError(err)
                     self.position = 0
                     if self.chunk_length == 0:
-                        rfile.readline()
+                        self._discard_trailers(rfile)
         except greenio.SSL.ZeroReturnError:
             pass
         return b''.join(response)

commit python-eventlet for openSUSE:Factory

Reply via email to