Search for packages
| purl | pkg:deb/debian/python-eventlet@0.19.0-6~bpo8%2B1 |
| Next non-vulnerable version | 0.39.1-2+deb13u1 |
| Latest non-vulnerable version | 0.39.1-2+deb13u1 |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-bnye-3p23-zyc9
Aliases: CVE-2025-58068 GHSA-hw6f-rjfj-j7j7 |
Eventlet affected by HTTP request smuggling in unparsed trailers ### Impact The Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to: - Bypass front-end security controls - Launch targeted attacks against active site users - Poison web caches ### Patches Problem has been patched in eventlet 0.40.3. The patch just drops trailers. If a backend behind eventlet.wsgi proxy requires trailers, then this patch BREAKS your setup. ### Workarounds Do not use eventlet.wsgi facing untrusted clients. ### References - Patch https://github.com/eventlet/eventlet/pull/1062 - This issue is similar to https://github.com/advisories/GHSA-9548-qrrj-x5pj |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-cgcf-st57-tkd1
Aliases: CVE-2021-21419 GHSA-9p9m-jm8w-94p2 PYSEC-2021-12 |
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||