Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id
<736c7150dc08501cc89945035c406eaf9688e144.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1113761,
regarding trixie-pu: package python-eventlet/0.39.1-2 CVE-2025-58068
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1113761: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113761
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:python-eventlet
User: [email protected]
Usertags: pu
Hi,
[ Reason ]
I'd like to fix:
https://bugs.debian.org/1112515
aka: CVE-2025-58068
[ Impact ]
Potential HTTP request smuggling.
[ Tests ]
I've set this already in production in my deployment.
[ Risks ]
Trivial patch, that's discarding chunk's trailer.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Please allow me to upload python-eventlet/0.39.1-2+deb13u1
as per debdiff.
Cheers,
Thomas Goirand (zigo)
diff -Nru python-eventlet-0.39.1/debian/changelog
python-eventlet-0.39.1/debian/changelog
--- python-eventlet-0.39.1/debian/changelog 2025-04-01 16:44:12.000000000
+0200
+++ python-eventlet-0.39.1/debian/changelog 2025-09-02 10:43:30.000000000
+0200
@@ -1,3 +1,15 @@
+python-eventlet (0.39.1-2+deb13u1) trixie; urgency=medium
+
+ * CVE-2025-58068: Eventlet is a concurrent networking library for Python.
+ Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP
+ Request Smuggling due to improper handling of HTTP trailer sections. This
+ vulnerability could enable attackers to, bypass front-end security
+ controls, launch targeted attacks against active site users, and poison web
+ caches. Applied upstream patch (Closes: #1112515):
+ - Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
+
+ -- Thomas Goirand <[email protected]> Tue, 02 Sep 2025 10:43:30 +0200
+
python-eventlet (0.39.1-2) unstable; urgency=medium
* Add test_send_1k_req_rep to blacklist, failing on armel.
diff -Nru
python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
---
python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
1970-01-01 01:00:00.000000000 +0100
+++
python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
2025-09-02 10:43:30.000000000 +0200
@@ -0,0 +1,37 @@
+From: sebsrt <[email protected]>
+Date: Mon, 11 Aug 2025 11:46:28 +0200
+Description: CVE-2025-58068: Fix request smuggling vulnerability by discarding
trailers (#1062)
+ The WSGI parser is vulnerable to a request smuggling vulnerability due
+ to not parsing trailer sections of an HTTP request. This patch fix that
+ by discarding trailers.
+Origin: upstream,
https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb.patch
+Bug: https://github.com/eventlet/eventlet/pull/1062
+Bug-Debian: https://bugs.debian.org/1112515
+Last-Update: 2025-08-31
+
+diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py
+index 92d031797..b6b4d0ce8 100644
+--- a/eventlet/wsgi.py
++++ b/eventlet/wsgi.py
+@@ -152,6 +152,12 @@ def _do_read(self, reader, length=None):
+ read = b''
+ self.position += len(read)
+ return read
++
++ def _discard_trailers(self, rfile):
++ while True:
++ line = rfile.readline()
++ if not line or line in (b'\r\n', b'\n', b''):
++ break
+
+ def _chunked_read(self, rfile, length=None, use_readline=False):
+ if self.should_send_hundred_continue:
+@@ -202,7 +208,7 @@ def _chunked_read(self, rfile, length=None,
use_readline=False):
+ raise ChunkReadError(err)
+ self.position = 0
+ if self.chunk_length == 0:
+- rfile.readline()
++ self._discard_trailers(rfile)
+ except greenio.SSL.ZeroReturnError:
+ pass
+ return b''.join(response)
diff -Nru python-eventlet-0.39.1/debian/patches/series
python-eventlet-0.39.1/debian/patches/series
--- python-eventlet-0.39.1/debian/patches/series 2025-04-01
16:44:12.000000000 +0200
+++ python-eventlet-0.39.1/debian/patches/series 2025-09-02
10:43:30.000000000 +0200
@@ -15,3 +15,4 @@
#use-raw-strings-to-avoid-warnings.patch
install-all-files.patch
fix-detecting-version.patch
+CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.2
Hi,
The updates referenced in each of these bugs were included in today's
13.2 trixie point release.
Regards,
Adam
--- End Message ---
