Bug 29009 - python-eventlet new security issue CVE-2021-21419
Summary: python-eventlet new security issue CVE-2021-21419
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-29 01:10 CEST by David Walser
Modified: 2021-06-18 21:29 CEST (History)
6 users (show)

See Also:
Source RPM: python-eventlet-0.29.1-1.mga8.src.rpm
CVE: CVE-2021-21419
Status comment:


Attachments

Description David Walser 2021-05-29 01:10:26 CEST
Ubuntu has issued an advisory on May 17:
https://ubuntu.com/security/notices/USN-4956-1

The issue is fixed upstream in 0.31.0.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-29 01:10:45 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 0.31.0
CC: (none) => geiger.david68210

Comment 1 Lewis Smith 2021-05-29 20:35:17 CEST
Assigning to the Python group; CC'ing NicolasL, registered maintainer.

Assignee: bugsquad => python
CC: (none) => mageia

Comment 2 David Walser 2021-05-30 04:20:19 CEST
Fedora has issued an advisory for this on May 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/
Comment 3 David GEIGER 2021-06-07 11:04:15 CEST
Done for Cauldron,mga8 and mga7!
Comment 4 David Walser 2021-06-09 01:31:09 CEST
RPMS:
python2-eventlet-0.24.1-1.1.mga7
python3-eventlet-0.24.1-1.1.mga7
python-eventlet-doc-0.24.1-1.1.mga7
python-eventlet-doc-0.31.0-1.mga8
python3-eventlet-0.31.0-1.mga8

from SRPMS:
python-eventlet-0.24.1-1.1.mga7.src.rpm
python-eventlet-0.31.0-1.mga8.src.rpm

Assignee: python => qa-bugs
Version: Cauldron => 8
Status comment: Fixed upstream in 0.31.0 => (none)
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 5 Len Lawrence 2021-06-13 19:26:42 CEST
mga7, x86

No poc tests for this by the look of it.
No real idea how to use this.  The documentation at /usr/share/doc/python3-eventlet/README.rst was out--of-date; running the example script resulted in failures.
The ever reliable stackoverflow supplied corrections and a web crawler script from Kurt Peek which worked before updates.
Updated the three packages and checked the documentation again - it is still out-of-date.

The test script is:
----------------------------------------------------------------------
import eventlet
from eventlet.green.urllib import request

urls = [
    "https://www.google.com/intl/en_ALL/images/logo.gif",
    "http://python.org/images/python-logo.gif",
    "http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif",
]

def fetch(url):
    print("opening", url)
    body = request.urlopen(url).read()
    print("done with", url)
    return url, body

pool = eventlet.GreenPool(200)
for url, body in pool.imap(fetch, urls):
    print("got body from", url, "of length", len(body))
-----------------------------------------------------------------------
for python3.
For python2 replace line 2 with:
from eventlet.green import urllib2 as request

$ python2 crawler2.py
('opening', 'https://www.google.com/intl/en_ALL/images/logo.gif')
('opening', 'http://python.org/images/python-logo.gif')
('opening', 'http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif')
('done with', 'http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif')
('done with', 'https://www.google.com/intl/en_ALL/images/logo.gif')
('got body from', 'https://www.google.com/intl/en_ALL/images/logo.gif', 'of length', 8558)
('done with', 'http://python.org/images/python-logo.gif')
('got body from', 'http://python.org/images/python-logo.gif', 'of length', 2549)
('got body from', 'http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif', 'of length', 1874)

$ python3 crawler3.py
opening https://www.google.com/intl/en_ALL/images/logo.gif
opening http://python.org/images/python-logo.gif
opening http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif
done with https://www.google.com/intl/en_ALL/images/logo.gif
got body from https://www.google.com/intl/en_ALL/images/logo.gif of length 8558
done with http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif
done with http://python.org/images/python-logo.gif
got body from http://python.org/images/python-logo.gif of length 2549
got body from http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif of length 1874

This shall have to do in the absence of any familiarity with this subject.

CC: (none) => tarazed25
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 6 Len Lawrence 2021-06-15 17:43:16 CEST
mga8, x64

Installed the packages for python3 (python).
Ran the crawler3 script - OK.
Updated from testing.

$ python crawler3.py
opening https://www.google.com/intl/en_ALL/images/logo.gif
opening http://python.org/images/python-logo.gif
opening http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif
done with https://www.google.com/intl/en_ALL/images/logo.gif
got body from https://www.google.com/intl/en_ALL/images/logo.gif of length 8558
done with http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif
done with http://python.org/images/python-logo.gif
got body from http://python.org/images/python-logo.gif of length 2549
got body from http://us.i1.yimg.com/us.yimg.com/i/ww/beta/y3.gif of length 1874

OK as far as it goes.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 7 Thomas Andrews 2021-06-15 22:11:46 CEST
You know more than I do, Len.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Aurelien Oudelet 2021-06-15 22:29:36 CEST
Advisory:
========================

Updated python-eventlet packages fix a security vulnerability:

Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process (CVE-2021-21419).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29009
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21419
 - https://ubuntu.com/security/notices/USN-4956-1
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/
========================

Updated packages in 7/core/updates_testing:
========================
python-eventlet-doc-0.24.1-1.1.mga7
python2-eventlet-0.24.1-1.1.mga7
python3-eventlet-0.24.1-1.1.mga7

from SRPM:
python-eventlet-0.24.1-1.1.mga7.src.rpm
========================

Updated packages in 8/core/updates_testing:
========================
python-eventlet-doc-0.31.0-1.mga8
python3-eventlet-0.31.0-1.mga8

from SRPM:
python-eventlet-0.31.0-1.mga8.src.rpm
========================
Aurelien Oudelet 2021-06-15 22:33:08 CEST

Source RPM: python-eventlet-0.30.2-2.mga9.src.rpm => python-eventlet-0.29.1-1.mga8.src.rpm
CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2021-21419

Comment 9 Thomas Backlund 2021-06-18 19:59:30 CEST
please dont set "advisory" until it's actually added to svn (now really added)
Comment 10 Aurelien Oudelet 2021-06-18 20:07:36 CEST
(In reply to Thomas Backlund from comment #9)
> please dont set "advisory" until it's actually added to svn (now really
> added)

Oh. Sorry. Excuse me, I wonder why i don't commit. perhaps baby Time.
This will not be reproduced.
Comment 11 Mageia Robot 2021-06-18 21:26:04 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0266.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 12 Thomas Backlund 2021-06-18 21:29:34 CEST
(In reply to Aurelien Oudelet from comment #10)
> (In reply to Thomas Backlund from comment #9)
> > please dont set "advisory" until it's actually added to svn (now really
> > added)
> 
> Oh. Sorry. Excuse me, I wonder why i don't commit. perhaps baby Time.
> This will not be reproduced.

no worries, sh* happends :)

I just wanted to point it out as a reminder for next time

Note You need to log in before you can comment on or make changes to this bug.