Your message dated Sun, 31 Aug 2025 22:19:58 +0000
with message-id <[email protected]>
and subject line Bug#1112515: fixed in python-eventlet 0.40.1-3
has caused the Debian Bug report #1112515,
regarding python-eventlet: CVE-2025-58068
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1112515: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112515
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-eventlet
Version: 0.40.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/eventlet/eventlet/pull/1062
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-eventlet.
CVE-2025-58068[0]:
| Eventlet is a concurrent networking library for Python. Prior to
| version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP
| Request Smuggling due to improper handling of HTTP trailer sections.
| This vulnerability could enable attackers to, bypass front-end
| security controls, launch targeted attacks against active site
| users, and poison web caches. This problem has been patched in
| Eventlet 0.40.3 by dropping trailers which is a breaking change if a
| backend behind eventlet.wsgi proxy requires trailers. A workaround
| involves not using eventlet.wsgi facing untrusted clients.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58068
https://www.cve.org/CVERecord?id=CVE-2025-58068
[1] https://github.com/eventlet/eventlet/pull/1062
[2] https://github.com/eventlet/eventlet/security/advisories/GHSA-hw6f-rjfj-j7j7
[3]
https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-eventlet
Source-Version: 0.40.1-3
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-eventlet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-eventlet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 31 Aug 2025 23:54:47 +0200
Source: python-eventlet
Architecture: source
Version: 0.40.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1112515
Changes:
python-eventlet (0.40.1-3) unstable; urgency=high
.
* CVE-2025-58068: Eventlet is a concurrent networking library for Python.
Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP
Request Smuggling due to improper handling of HTTP trailer sections. This
vulnerability could enable attackers to, bypass front-end security
controls, launch targeted attacks against active site users, and poison web
caches. Applied upstream patch (Closes: #1112515):
- Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
Checksums-Sha1:
864f65e9541c8c37c9a0862fcf28833a5d1fdb82 2498 python-eventlet_0.40.1-3.dsc
daf083a3d56fa1bea0e869196d23abeadebb3f31 24764
python-eventlet_0.40.1-3.debian.tar.xz
c75442efac0e3fce351270951ba7a75cc6a0b338 9386
python-eventlet_0.40.1-3_amd64.buildinfo
Checksums-Sha256:
cfe789dfd1d12522294e0d1a884fc7f1615722b73bc990b4070faea72504b293 2498
python-eventlet_0.40.1-3.dsc
5e1408fc5affa79837caf935ea6b67a2bf3a32925090c848fc039d04afc77a2f 24764
python-eventlet_0.40.1-3.debian.tar.xz
01fdfcca9ce9cbf12d5f37a34d2db44a4e892a794bd57f8c4c7a574efbee3ede 9386
python-eventlet_0.40.1-3_amd64.buildinfo
Files:
fef3059276de1f995d86d05787e12d13 2498 python optional
python-eventlet_0.40.1-3.dsc
67befeac482c5964ef98dac5341a2316 24764 python optional
python-eventlet_0.40.1-3.debian.tar.xz
8487a20fa78ba2e4089ec0ccde8e2379 9386 python optional
python-eventlet_0.40.1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmi0xjcACgkQ1BatFaxr
Q/7lrQ//adk1ShEVe7kXa9VOHhUP+B3x2DIKr6CwdZomE+X5S5HtrzMoRn/j6MjK
g65PJ3pei+YrdVbfvVIh16fye6tdBxHLMPnGNa0KnUOsVBFbc0705ee7KhW9+dCY
aj/QarfSVP51YPydmIGBJZgEW3W/Z8sOfS8XduqKBhvm5yk8MSQWoI25870tD7Zf
JhpS94lB15f2uEG32q2C5Y4GwaeGd2Wk+oT8WMb2VI/rIPM0M8P/z1im/BjDcdnM
e2Ty6q+WAIhe+FUro8Fyd18JvzhQeXjod+osyLZ26q3IYi6ezs7puwZvuj2ZAsTc
hozLO7zEFj61JvAdUhRTkrYLFSRSeDzIz+lKHq2zegDIQ7Pg8LaxADSo/BQw0nGk
EIbRjPlZr0R4a1Xfr2i1vj0wWv/Dk42utSkc5RdcjR909vf6JCL2clXXBRZe3FJO
/k0+br2c6Fc6vhC15692retqhGwQJUanOEpmKJC1hXVtgbKXD8CeeeTmVC7AtGUD
Q7rO3Wp40PeRHNE8e/ySOAMj3k+JySzsoe/Fi735SuLliMLZi1QoqNpAIGhit5Ii
4zWl+FBpEpuC9wf8muSc0nkwEWDXzUQbnzQGIwjqmJ9ef8dqrLc9/0m6/Tnc8Jaw
sEcAXJBB1RokxtC07fUzu1VWrD0SBIMRw+Y0WKbrw8JYRJstSFY=
=RnIC
-----END PGP SIGNATURE-----
pgpNrHWCptHBq.pgp
Description: PGP signature
--- End Message ---
