Ubuntu has issued an advisory on May 17: https://ubuntu.com/security/notices/USN-4956-1 The issue is fixed upstream in 0.31.0. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 0.31.0CC: (none) => geiger.david68210
Assigning to the Python group; CC'ing NicolasL, registered maintainer.
Assignee: bugsquad => pythonCC: (none) => mageia
Fedora has issued an advisory for this on May 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/
Done for Cauldron,mga8 and mga7!
RPMS: python2-eventlet-0.24.1-1.1.mga7 python3-eventlet-0.24.1-1.1.mga7 python-eventlet-doc-0.24.1-1.1.mga7 python-eventlet-doc-0.31.0-1.mga8 python3-eventlet-0.31.0-1.mga8 from SRPMS: python-eventlet-0.24.1-1.1.mga7.src.rpm python-eventlet-0.31.0-1.mga8.src.rpm
Assignee: python => qa-bugsVersion: Cauldron => 8Status comment: Fixed upstream in 0.31.0 => (none)Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
mga7, x86 No poc tests for this by the look of it. No real idea how to use this. The documentation at /usr/share/doc/python3-eventlet/README.rst was out--of-date; running the example script resulted in failures. The ever reliable stackoverflow supplied corrections and a web crawler script from Kurt Peek which worked before updates. Updated the three packages and checked the documentation again - it is still out-of-date. The test script is: ---------------------------------------------------------------------- import eventlet from eventlet.green.urllib import request urls = [ "https://www.google.com/intl/en_ALL/images/logo.gif", "http://python.org/images/python-logo.gif", "http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif", ] def fetch(url): print("opening", url) body = request.urlopen(url).read() print("done with", url) return url, body pool = eventlet.GreenPool(200) for url, body in pool.imap(fetch, urls): print("got body from", url, "of length", len(body)) ----------------------------------------------------------------------- for python3. For python2 replace line 2 with: from eventlet.green import urllib2 as request $ python2 crawler2.py ('opening', 'https://www.google.com/intl/en_ALL/images/logo.gif') ('opening', 'http://python.org/images/python-logo.gif') ('opening', 'http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif') ('done with', 'http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif') ('done with', 'https://www.google.com/intl/en_ALL/images/logo.gif') ('got body from', 'https://www.google.com/intl/en_ALL/images/logo.gif', 'of length', 8558) ('done with', 'http://python.org/images/python-logo.gif') ('got body from', 'http://python.org/images/python-logo.gif', 'of length', 2549) ('got body from', 'http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif', 'of length', 1874) $ python3 crawler3.py opening https://www.google.com/intl/en_ALL/images/logo.gif opening http://python.org/images/python-logo.gif opening http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif done with https://www.google.com/intl/en_ALL/images/logo.gif got body from https://www.google.com/intl/en_ALL/images/logo.gif of length 8558 done with http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif done with http://python.org/images/python-logo.gif got body from http://python.org/images/python-logo.gif of length 2549 got body from http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif of length 1874 This shall have to do in the absence of any familiarity with this subject.
CC: (none) => tarazed25Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
mga8, x64 Installed the packages for python3 (python). Ran the crawler3 script - OK. Updated from testing. $ python crawler3.py opening https://www.google.com/intl/en_ALL/images/logo.gif opening http://python.org/images/python-logo.gif opening http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif done with https://www.google.com/intl/en_ALL/images/logo.gif got body from https://www.google.com/intl/en_ALL/images/logo.gif of length 8558 done with http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif done with http://python.org/images/python-logo.gif got body from http://python.org/images/python-logo.gif of length 2549 got body from http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif of length 1874 OK as far as it goes.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
You know more than I do, Len. Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory: ======================== Updated python-eventlet packages fix a security vulnerability: Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process (CVE-2021-21419). References: - https://bugs.mageia.org/show_bug.cgi?id=29009 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21419 - https://ubuntu.com/security/notices/USN-4956-1 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/ ======================== Updated packages in 7/core/updates_testing: ======================== python-eventlet-doc-0.24.1-1.1.mga7 python2-eventlet-0.24.1-1.1.mga7 python3-eventlet-0.24.1-1.1.mga7 from SRPM: python-eventlet-0.24.1-1.1.mga7.src.rpm ======================== Updated packages in 8/core/updates_testing: ======================== python-eventlet-doc-0.31.0-1.mga8 python3-eventlet-0.31.0-1.mga8 from SRPM: python-eventlet-0.31.0-1.mga8.src.rpm ========================
Source RPM: python-eventlet-0.30.2-2.mga9.src.rpm => python-eventlet-0.29.1-1.mga8.src.rpmCC: (none) => ouaurelienKeywords: (none) => advisoryCVE: (none) => CVE-2021-21419
please dont set "advisory" until it's actually added to svn (now really added)
(In reply to Thomas Backlund from comment #9) > please dont set "advisory" until it's actually added to svn (now really > added) Oh. Sorry. Excuse me, I wonder why i don't commit. perhaps baby Time. This will not be reproduced.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0266.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to Aurelien Oudelet from comment #10) > (In reply to Thomas Backlund from comment #9) > > please dont set "advisory" until it's actually added to svn (now really > > added) > > Oh. Sorry. Excuse me, I wonder why i don't commit. perhaps baby Time. > This will not be reproduced. no worries, sh* happends :) I just wanted to point it out as a reminder for next time