Source: python-eventlet Version: 0.40.1-2 Severity: important Tags: security upstream Forwarded: https://github.com/eventlet/eventlet/pull/1062 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-eventlet. CVE-2025-58068[0]: | Eventlet is a concurrent networking library for Python. Prior to | version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP | Request Smuggling due to improper handling of HTTP trailer sections. | This vulnerability could enable attackers to, bypass front-end | security controls, launch targeted attacks against active site | users, and poison web caches. This problem has been patched in | Eventlet 0.40.3 by dropping trailers which is a breaking change if a | backend behind eventlet.wsgi proxy requires trailers. A workaround | involves not using eventlet.wsgi facing untrusted clients. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-58068 https://www.cve.org/CVERecord?id=CVE-2025-58068 [1] https://github.com/eventlet/eventlet/pull/1062 [2] https://github.com/eventlet/eventlet/security/advisories/GHSA-hw6f-rjfj-j7j7 [3] https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb Please adjust the affected versions in the BTS as needed. Regards, Salvatore
