| Summary: | python-eventlet new security issue CVE-2021-21419 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, mageia, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK | ||
| Source RPM: | python-eventlet-0.29.1-1.mga8.src.rpm | CVE: | CVE-2021-21419 |
| Status comment: | |||
|
Description
David Walser
2021-05-29 01:10:26 CEST
David Walser
2021-05-29 01:10:45 CEST
Whiteboard:
(none) =>
MGA8TOO, MGA7TOO Assigning to the Python group; CC'ing NicolasL, registered maintainer. Assignee:
bugsquad =>
python Fedora has issued an advisory for this on May 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/ Done for Cauldron,mga8 and mga7! RPMS: python2-eventlet-0.24.1-1.1.mga7 python3-eventlet-0.24.1-1.1.mga7 python-eventlet-doc-0.24.1-1.1.mga7 python-eventlet-doc-0.31.0-1.mga8 python3-eventlet-0.31.0-1.mga8 from SRPMS: python-eventlet-0.24.1-1.1.mga7.src.rpm python-eventlet-0.31.0-1.mga8.src.rpm Assignee:
python =>
qa-bugs mga7, x86
No poc tests for this by the look of it.
No real idea how to use this. The documentation at /usr/share/doc/python3-eventlet/README.rst was out--of-date; running the example script resulted in failures.
The ever reliable stackoverflow supplied corrections and a web crawler script from Kurt Peek which worked before updates.
Updated the three packages and checked the documentation again - it is still out-of-date.
The test script is:
----------------------------------------------------------------------
import eventlet
from eventlet.green.urllib import request
urls = [
"https://www.google.com/intl/en_ALL/images/logo.gif",
"http://python.org/images/python-logo.gif",
"http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif",
]
def fetch(url):
print("opening", url)
body = request.urlopen(url).read()
print("done with", url)
return url, body
pool = eventlet.GreenPool(200)
for url, body in pool.imap(fetch, urls):
print("got body from", url, "of length", len(body))
-----------------------------------------------------------------------
for python3.
For python2 replace line 2 with:
from eventlet.green import urllib2 as request
$ python2 crawler2.py
('opening', 'https://www.google.com/intl/en_ALL/images/logo.gif')
('opening', 'http://python.org/images/python-logo.gif')
('opening', 'http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif')
('done with', 'http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif')
('done with', 'https://www.google.com/intl/en_ALL/images/logo.gif')
('got body from', 'https://www.google.com/intl/en_ALL/images/logo.gif', 'of length', 8558)
('done with', 'http://python.org/images/python-logo.gif')
('got body from', 'http://python.org/images/python-logo.gif', 'of length', 2549)
('got body from', 'http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif', 'of length', 1874)
$ python3 crawler3.py
opening https://www.google.com/intl/en_ALL/images/logo.gif
opening http://python.org/images/python-logo.gif
opening http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif
done with https://www.google.com/intl/en_ALL/images/logo.gif
got body from https://www.google.com/intl/en_ALL/images/logo.gif of length 8558
done with http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif
done with http://python.org/images/python-logo.gif
got body from http://python.org/images/python-logo.gif of length 2549
got body from http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif of length 1874
This shall have to do in the absence of any familiarity with this subject.CC:
(none) =>
tarazed25 mga8, x64 Installed the packages for python3 (python). Ran the crawler3 script - OK. Updated from testing. $ python crawler3.py opening https://www.google.com/intl/en_ALL/images/logo.gif opening http://python.org/images/python-logo.gif opening http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif done with https://www.google.com/intl/en_ALL/images/logo.gif got body from https://www.google.com/intl/en_ALL/images/logo.gif of length 8558 done with http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif done with http://python.org/images/python-logo.gif got body from http://python.org/images/python-logo.gif of length 2549 got body from http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif of length 1874 OK as far as it goes. Whiteboard:
MGA7TOO MGA7-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OK You know more than I do, Len. Validating. Keywords:
(none) =>
validated_update Advisory: ======================== Updated python-eventlet packages fix a security vulnerability: Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process (CVE-2021-21419). References: - https://bugs.mageia.org/show_bug.cgi?id=29009 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21419 - https://ubuntu.com/security/notices/USN-4956-1 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/ ======================== Updated packages in 7/core/updates_testing: ======================== python-eventlet-doc-0.24.1-1.1.mga7 python2-eventlet-0.24.1-1.1.mga7 python3-eventlet-0.24.1-1.1.mga7 from SRPM: python-eventlet-0.24.1-1.1.mga7.src.rpm ======================== Updated packages in 8/core/updates_testing: ======================== python-eventlet-doc-0.31.0-1.mga8 python3-eventlet-0.31.0-1.mga8 from SRPM: python-eventlet-0.31.0-1.mga8.src.rpm ========================
Aurelien Oudelet
2021-06-15 22:33:08 CEST
Source RPM:
python-eventlet-0.30.2-2.mga9.src.rpm =>
python-eventlet-0.29.1-1.mga8.src.rpm please dont set "advisory" until it's actually added to svn (now really added) (In reply to Thomas Backlund from comment #9) > please dont set "advisory" until it's actually added to svn (now really > added) Oh. Sorry. Excuse me, I wonder why i don't commit. perhaps baby Time. This will not be reproduced. An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0266.html Status:
NEW =>
RESOLVED (In reply to Aurelien Oudelet from comment #10) > (In reply to Thomas Backlund from comment #9) > > please dont set "advisory" until it's actually added to svn (now really > > added) > > Oh. Sorry. Excuse me, I wonder why i don't commit. perhaps baby Time. > This will not be reproduced. no worries, sh* happends :) I just wanted to point it out as a reminder for next time |
