Version in base suite: 0.39.1-2 Base version: python-eventlet_0.39.1-2 Target version: python-eventlet_0.39.1-2+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-eventlet/python-eventlet_0.39.1-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-eventlet/python-eventlet_0.39.1-2+deb13u1.dsc changelog | 12 +++ patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch | 37 ++++++++++ patches/series | 1 3 files changed, 50 insertions(+) diff -Nru python-eventlet-0.39.1/debian/changelog python-eventlet-0.39.1/debian/changelog --- python-eventlet-0.39.1/debian/changelog 2025-04-01 14:44:12.000000000 +0000 +++ python-eventlet-0.39.1/debian/changelog 2025-09-02 08:43:30.000000000 +0000 @@ -1,3 +1,15 @@ +python-eventlet (0.39.1-2+deb13u1) trixie; urgency=medium + + * CVE-2025-58068: Eventlet is a concurrent networking library for Python. + Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP + Request Smuggling due to improper handling of HTTP trailer sections. This + vulnerability could enable attackers to, bypass front-end security + controls, launch targeted attacks against active site users, and poison web + caches. Applied upstream patch (Closes: #1112515): + - Fix_request_smuggling_vulnerability_by_discarding_trailers.patch + + -- Thomas Goirand Tue, 02 Sep 2025 10:43:30 +0200 + python-eventlet (0.39.1-2) unstable; urgency=medium * Add test_send_1k_req_rep to blacklist, failing on armel. diff -Nru python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch --- python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-eventlet-0.39.1/debian/patches/CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch 2025-09-02 08:43:30.000000000 +0000 @@ -0,0 +1,37 @@ +From: sebsrt +Date: Mon, 11 Aug 2025 11:46:28 +0200 +Description: CVE-2025-58068: Fix request smuggling vulnerability by discarding trailers (#1062) + The WSGI parser is vulnerable to a request smuggling vulnerability due + to not parsing trailer sections of an HTTP request. This patch fix that + by discarding trailers. +Origin: upstream, https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb.patch +Bug: https://github.com/eventlet/eventlet/pull/1062 +Bug-Debian: https://bugs.debian.org/1112515 +Last-Update: 2025-08-31 + +diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py +index 92d031797..b6b4d0ce8 100644 +--- a/eventlet/wsgi.py ++++ b/eventlet/wsgi.py +@@ -152,6 +152,12 @@ def _do_read(self, reader, length=None): + read = b'' + self.position += len(read) + return read ++ ++ def _discard_trailers(self, rfile): ++ while True: ++ line = rfile.readline() ++ if not line or line in (b'\r\n', b'\n', b''): ++ break + + def _chunked_read(self, rfile, length=None, use_readline=False): + if self.should_send_hundred_continue: +@@ -202,7 +208,7 @@ def _chunked_read(self, rfile, length=None, use_readline=False): + raise ChunkReadError(err) + self.position = 0 + if self.chunk_length == 0: +- rfile.readline() ++ self._discard_trailers(rfile) + except greenio.SSL.ZeroReturnError: + pass + return b''.join(response) diff -Nru python-eventlet-0.39.1/debian/patches/series python-eventlet-0.39.1/debian/patches/series --- python-eventlet-0.39.1/debian/patches/series 2025-04-01 14:44:12.000000000 +0000 +++ python-eventlet-0.39.1/debian/patches/series 2025-09-02 08:43:30.000000000 +0000 @@ -15,3 +15,4 @@ #use-raw-strings-to-avoid-warnings.patch install-all-files.patch fix-detecting-version.patch +CVE-2025-58068_Fix_request_smuggling_vulnerability_by_discarding_trailers.patch