Your message dated Sun, 31 Aug 2025 22:08:18 +0000
with message-id <[email protected]>
and subject line Bug#1112515: fixed in python-eventlet 0.40.3-1
has caused the Debian Bug report #1112515,
regarding python-eventlet: CVE-2025-58068
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1112515: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112515
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-eventlet
Version: 0.40.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/eventlet/eventlet/pull/1062
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-eventlet.
CVE-2025-58068[0]:
| Eventlet is a concurrent networking library for Python. Prior to
| version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP
| Request Smuggling due to improper handling of HTTP trailer sections.
| This vulnerability could enable attackers to, bypass front-end
| security controls, launch targeted attacks against active site
| users, and poison web caches. This problem has been patched in
| Eventlet 0.40.3 by dropping trailers which is a breaking change if a
| backend behind eventlet.wsgi proxy requires trailers. A workaround
| involves not using eventlet.wsgi facing untrusted clients.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58068
https://www.cve.org/CVERecord?id=CVE-2025-58068
[1] https://github.com/eventlet/eventlet/pull/1062
[2] https://github.com/eventlet/eventlet/security/advisories/GHSA-hw6f-rjfj-j7j7
[3]
https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-eventlet
Source-Version: 0.40.3-1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-eventlet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-eventlet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 31 Aug 2025 17:43:14 +0200
Source: python-eventlet
Architecture: source
Version: 0.40.3-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1112515
Changes:
python-eventlet (0.40.3-1) experimental; urgency=medium
.
* New upstream release:
- Fixes CVE-2025-58068 (Eventlet WSGI parser is vulnerable to HTTP
Request Smuggling due to improper handling of HTTP trailer section).
(Closes: #1112515).
Checksums-Sha1:
635d99d867927e8240ba31b508455a676e2f89ec 2498 python-eventlet_0.40.3-1.dsc
1a7cc289fc43349a60d55b1c9839511192466d18 476748
python-eventlet_0.40.3.orig.tar.xz
5f6b795bc525b442a1aefdcde0a28b19cf256813 24128
python-eventlet_0.40.3-1.debian.tar.xz
d825415ec45aabd20db05f516efd40508ba6eea1 9392
python-eventlet_0.40.3-1_amd64.buildinfo
Checksums-Sha256:
ac8b435243730f812e717231d768f406ea0e05de8ce06fad0996b94c20bd691b 2498
python-eventlet_0.40.3-1.dsc
50db0a4e6b8e3053f0a0bc8d711de2fa02de54f415815ffaac6ccf32eeae2d7c 476748
python-eventlet_0.40.3.orig.tar.xz
4ea29dd56fd7b77cd2e5b1f5f300a1fcdd5d134baf2939134144882c2e588f06 24128
python-eventlet_0.40.3-1.debian.tar.xz
3639e69bcc61c2dc3add4d54c18a1e8cc11a816523b8cf50f05749c084ae3987 9392
python-eventlet_0.40.3-1_amd64.buildinfo
Files:
42258c00ee99d5d22ea350efc4542113 2498 python optional
python-eventlet_0.40.3-1.dsc
6774c32551acb61b10ebdcd5a0274d08 476748 python optional
python-eventlet_0.40.3.orig.tar.xz
1359d4e288b324b959f2a4ead0d2ee1b 24128 python optional
python-eventlet_0.40.3-1.debian.tar.xz
fe1330fa9ef848c99a6cb959c29de9af 9392 python optional
python-eventlet_0.40.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmi0xBQACgkQ1BatFaxr
Q/4r1w//YG9c1AxF23dZVfMSOhuG4Nj4Ha4jqk65LDDXCUDhgWhRVljUmVlLcPCP
iaXCnqR/7WmT723y8l2vUH7V3gf4YVjz1tspvf21CLCB9NPtvKZ+qJERv95W3AcN
KHARN/R1UKm4ep+M51jPN+s/5KgBIkWgTe1GLXVzxUtIJyvWqSk66u5bcvvHTtg2
5IEpcQLI7nL5ZLS06+rinJ7uOufBlrTavrKMwrVKuUmaLsMbaaJ9VtIe2BCU3SqC
HXObmTFZ4KATT2z9XZ/ff10Y4CyMKdeRN1geZ/S/zw64YKTG7ImNTA8VbfsH5r7Z
QLXZWxbCQwTB05hOy87S6mCr+I50/gb2qsKNFrjXq45VTN2VnGaaGSEbanSVQFMK
S3FUGCO3085aYtZezuB4VVFV62NgYBy0XogCVJ0FFfrVrb3XCsChx/v/uXBXsyDy
0j9XNk7B6c6gJZYcPHo9CY/5wGwkpsQBxxwCfeQIulPDhPfLzj1jFbPupY0PAxkv
CIW8C2F4cU0LCnYJnjCBTsjyp4ATBFeZopSb/DmJenYvTenRmu4hJ8FKiBndNtUp
JycdRLFiyQQdezeTGAorpiWx2lUdiXAMy5N8gwarr+aSXooKj3FFkHkdvjju53Z0
QgXSt74rwA85Q00o02WvOAc8y/gLjqGod+tefFHWWiUQzRdso4Y=
=NcD2
-----END PGP SIGNATURE-----
pgpNsXkSy6hNK.pgp
Description: PGP signature
--- End Message ---
