Debian Bug report logs -
#988342
python-eventlet: CVE-2021-21419
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 10 May 2021 19:27:04 UTC
Severity: important
Tags: security, upstream
Found in versions python-eventlet/0.26.1-6, python-eventlet/0.20.0-6
Fixed in version python-eventlet/0.26.1-7
Done: Thomas Goirand <zigo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>
:
Bug#988342
; Package src:python-eventlet
.
(Mon, 10 May 2021 19:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>
.
(Mon, 10 May 2021 19:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-eventlet
Version: 0.26.1-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 0.20.0-6
Hi,
The following vulnerability was published for python-eventlet.
CVE-2021-21419[0]:
| Eventlet is a concurrent networking library for Python. A websocket
| peer may exhaust memory on Eventlet side by sending very large
| websocket frames. Malicious peer may exhaust memory on Eventlet side
| by sending highly compressed data frame. A patch in version 0.31.0
| restricts websocket frame to reasonable limits. As a workaround,
| restricting memory usage via OS limits would help against overall
| machine exhaustion, but there is no workaround to protect Eventlet
| process.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21419
[1] https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2
[2] https://github.com/eventlet/eventlet/commit/1412f5e4125b4313f815778a1acb4d3336efcd07
Regards,
Salvatore
Marked as found in versions python-eventlet/0.20.0-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Mon, 10 May 2021 19:27:06 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#988342.
(Tue, 11 May 2021 09:15:05 GMT) (full text, mbox, link).
Message #10 received at 988342-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #988342 in python-eventlet reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/python-team/packages/python-eventlet/-/commit/d269c3facb866fc0e98cd9fb2ec2beb957e30f60
------------------------------------------------------------------------
* CVE-2021-21419: Malicious peer may exhaust memory on Eventlet side
by sending highly compressed data frame. Appled upstream patch: websocket:
Limit maximum uncompressed frame length to 8MiB (Closes: #988342).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/988342
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 988342-submitter@bugs.debian.org
.
(Tue, 11 May 2021 09:15:05 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>
:
You have taken responsibility.
(Tue, 11 May 2021 09:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 11 May 2021 09:39:03 GMT) (full text, mbox, link).
Message #17 received at 988342-close@bugs.debian.org (full text, mbox, reply):
Source: python-eventlet
Source-Version: 0.26.1-7
Done: Thomas Goirand <zigo@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-eventlet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988342@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-eventlet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 11 May 2021 08:03:43 +0200
Source: python-eventlet
Architecture: source
Version: 0.26.1-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 988342
Changes:
python-eventlet (0.26.1-7) unstable; urgency=medium
.
* CVE-2021-21419: Malicious peer may exhaust memory on Eventlet side
by sending highly compressed data frame. Appled upstream patch: websocket:
Limit maximum uncompressed frame length to 8MiB (Closes: #988342).
Checksums-Sha1:
d4c1bdda21cceda95ea3ea63472a6f1d25d33899 2506 python-eventlet_0.26.1-7.dsc
1319881dd236aca875902d66c9028bc011c01b2d 24684 python-eventlet_0.26.1-7.debian.tar.xz
a6d6f303d0d2fe5ae78cec3e3f1035968eaaab7b 8022 python-eventlet_0.26.1-7_amd64.buildinfo
Checksums-Sha256:
30aecb6f86f056db7e5ec7afe4e66f79abf64c0569aba5ac6c9210ea5b569e7e 2506 python-eventlet_0.26.1-7.dsc
6fff73f94a36dc24ed6c98db352ebb3903ada58100ee88403cdee2d77867e693 24684 python-eventlet_0.26.1-7.debian.tar.xz
303ca596488c1df3da27ef92798ee7f3e100a45454fa78aeb499bad998ebc96f 8022 python-eventlet_0.26.1-7_amd64.buildinfo
Files:
6fdca94e59e77894fc8be3fb430ef9e4 2506 python optional python-eventlet_0.26.1-7.dsc
c609a24d82702766be637dd1326002ee 24684 python optional python-eventlet_0.26.1-7.debian.tar.xz
3d57c987570a6f53224bbaf05e4b3ee1 8022 python optional python-eventlet_0.26.1-7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmCaS24ACgkQ1BatFaxr
Q/6Aqg/6A3GS/l+DzR7dsT7zStwkA8r7kY1YAl2JUbJR9uo2sTuIu2IvmEiTUZkS
bAUsk/+GjyXh5IcCC+O+UWeQ7K+NDXOhMzEWRHqMBwrjQP620n7cCVJTXtPR0dhX
P8wE1peUj8gahHPZ0zkDYl8qJc51WiukArq3BPTgbeUvCmh4xwhP9ENTPcx7V9LQ
n2YqIdysFV72AjhqTmYsEF5aN+PtR7OdsxNOfi2tQztLZVtAa+V7JdLq9oB/2v9D
YReqeAxZm0XGREDWL7GW7e9psmbsTlEuXNREF/oNkWx1A6YFrMdvSK6YC83olS9B
AzgqbIvQTFgY03WRdgOS2/eR28qdYJOXrxfLxxZuiTt4bcRlicr0j1ldTiM0oBns
DhjA5k5D7cOovLrhK0SEpYIbR7Cq/H8JYY3CIPp1DEtU7hPNZ2et/+yS4wk9NG/m
rJgQVtxBcs0olOm4wDpHFh41JgMGx+nx27Y8DpXdH2Fr71vEZq3SxXboRZHxe8DH
RSINUmTCBdQb9XAqIQn1sLVxwJ8BiQtnrfSWmaLHI2bLYx8gAzoD0os50FP+aY+O
UpgnManeIlghe/7089lAKLE3FUOKBLjayDdtYcNozWZbx4DEaBIvYrqlsUG5wExr
0pb3KZ+C4WXx9ChEf5829BmyVAcd5OpRdfeS9b2/B6fSvo5o9UQ=
=hsU2
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue May 11 12:43:54 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.