Vulnerability-Lookup

RHSA-2026:1959

Vulnerability from csaf_redhat - Published: 2026-02-13 07:33 - Updated: 2026-02-13 12:59

Summary

Red Hat Security Advisory: Red Hat OpenStack Services on OpenShift 18.0 (python-eventlet) security update

Notes

Topic

An update for python-eventlet is now available for Red Hat OpenStack Services on OpenShift 18.0 (Antelope). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Eventlet is a networking library written in Python. It achieves high scalability by using non-blocking io while at the same time retaining high programmer usability by using coroutines to make the non-blocking io operations appear blocking at the source code level. Security Fix(es): * Eventlet HTTP request smuggling (CVE-2025-58068) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for python-eventlet is now available for Red Hat OpenStack\nServices on OpenShift 18.0 (Antelope).\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Eventlet is a networking library written in Python. It achieves high\nscalability by using non-blocking io while at the same time retaining high\nprogrammer usability by using coroutines to make the non-blocking io\noperations appear blocking at the source code\nlevel.\n\nSecurity Fix(es):\n\n* Eventlet HTTP request smuggling (CVE-2025-58068)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:1959",
        "url": "https://access.redhat.com/errata/RHSA-2026:1959"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2391958",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391958"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_1959.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat OpenStack Services on OpenShift 18.0 (python-eventlet) security update",
    "tracking": {
      "current_release_date": "2026-02-13T12:59:36+00:00",
      "generator": {
        "date": "2026-02-13T12:59:36+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.1"
        }
      },
      "id": "RHSA-2026:1959",
      "initial_release_date": "2026-02-13T07:33:13+00:00",
      "revision_history": [
        {
          "date": "2026-02-13T07:33:13+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-02-13T07:33:13+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-02-13T12:59:36+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenStack Services on OpenShift 18.0",
                "product": {
                  "name": "Red Hat OpenStack Services on OpenShift 18.0",
                  "product_id": "9Base-RHOSO-18.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:18.0::el9"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "9Base-RHOSO-TOOLS-18",
                "product": {
                  "name": "9Base-RHOSO-TOOLS-18",
                  "product_id": "9Base-RHOSO-TOOLS-18",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:18.0::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Services on OpenShift"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-eventlet-0:0.33.1-7.el9ost.src",
                "product": {
                  "name": "python-eventlet-0:0.33.1-7.el9ost.src",
                  "product_id": "python-eventlet-0:0.33.1-7.el9ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-eventlet@0.33.1-7.el9ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python3-eventlet-0:0.33.1-7.el9ost.noarch",
                "product": {
                  "name": "python3-eventlet-0:0.33.1-7.el9ost.noarch",
                  "product_id": "python3-eventlet-0:0.33.1-7.el9ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python3-eventlet@0.33.1-7.el9ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-eventlet-0:0.33.1-7.el9ost.src as a component of Red Hat OpenStack Services on OpenShift 18.0",
          "product_id": "9Base-RHOSO-18.0:python-eventlet-0:0.33.1-7.el9ost.src"
        },
        "product_reference": "python-eventlet-0:0.33.1-7.el9ost.src",
        "relates_to_product_reference": "9Base-RHOSO-18.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-eventlet-0:0.33.1-7.el9ost.noarch as a component of Red Hat OpenStack Services on OpenShift 18.0",
          "product_id": "9Base-RHOSO-18.0:python3-eventlet-0:0.33.1-7.el9ost.noarch"
        },
        "product_reference": "python3-eventlet-0:0.33.1-7.el9ost.noarch",
        "relates_to_product_reference": "9Base-RHOSO-18.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-eventlet-0:0.33.1-7.el9ost.src as a component of 9Base-RHOSO-TOOLS-18",
          "product_id": "9Base-RHOSO-TOOLS-18:python-eventlet-0:0.33.1-7.el9ost.src"
        },
        "product_reference": "python-eventlet-0:0.33.1-7.el9ost.src",
        "relates_to_product_reference": "9Base-RHOSO-TOOLS-18"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-eventlet-0:0.33.1-7.el9ost.noarch as a component of 9Base-RHOSO-TOOLS-18",
          "product_id": "9Base-RHOSO-TOOLS-18:python3-eventlet-0:0.33.1-7.el9ost.noarch"
        },
        "product_reference": "python3-eventlet-0:0.33.1-7.el9ost.noarch",
        "relates_to_product_reference": "9Base-RHOSO-TOOLS-18"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-58068",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2025-08-29T22:00:44.749956+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2391958"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A request smuggling flaw was found in the Eventlet PyPI library. The Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability allows attackers to bypass front-end security controls, launch targeted attacks against active site users, and poison web caches.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-eventlet: Eventlet HTTP request smuggling",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHOSO-18.0:python-eventlet-0:0.33.1-7.el9ost.src",
          "9Base-RHOSO-18.0:python3-eventlet-0:0.33.1-7.el9ost.noarch",
          "9Base-RHOSO-TOOLS-18:python-eventlet-0:0.33.1-7.el9ost.src",
          "9Base-RHOSO-TOOLS-18:python3-eventlet-0:0.33.1-7.el9ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-58068"
        },
        {
          "category": "external",
          "summary": "RHBZ#2391958",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391958"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-58068",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-58068"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58068",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58068"
        },
        {
          "category": "external",
          "summary": "https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb",
          "url": "https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb"
        },
        {
          "category": "external",
          "summary": "https://github.com/eventlet/eventlet/pull/1062",
          "url": "https://github.com/eventlet/eventlet/pull/1062"
        },
        {
          "category": "external",
          "summary": "https://github.com/eventlet/eventlet/security/advisories/GHSA-hw6f-rjfj-j7j7",
          "url": "https://github.com/eventlet/eventlet/security/advisories/GHSA-hw6f-rjfj-j7j7"
        }
      ],
      "release_date": "2025-08-29T21:12:24.534000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-02-13T07:33:13+00:00",
          "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "9Base-RHOSO-18.0:python-eventlet-0:0.33.1-7.el9ost.src",
            "9Base-RHOSO-18.0:python3-eventlet-0:0.33.1-7.el9ost.noarch",
            "9Base-RHOSO-TOOLS-18:python-eventlet-0:0.33.1-7.el9ost.src",
            "9Base-RHOSO-TOOLS-18:python3-eventlet-0:0.33.1-7.el9ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:1959"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "9Base-RHOSO-18.0:python-eventlet-0:0.33.1-7.el9ost.src",
            "9Base-RHOSO-18.0:python3-eventlet-0:0.33.1-7.el9ost.noarch",
            "9Base-RHOSO-TOOLS-18:python-eventlet-0:0.33.1-7.el9ost.src",
            "9Base-RHOSO-TOOLS-18:python3-eventlet-0:0.33.1-7.el9ost.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "9Base-RHOSO-18.0:python-eventlet-0:0.33.1-7.el9ost.src",
            "9Base-RHOSO-18.0:python3-eventlet-0:0.33.1-7.el9ost.noarch",
            "9Base-RHOSO-TOOLS-18:python-eventlet-0:0.33.1-7.el9ost.src",
            "9Base-RHOSO-TOOLS-18:python3-eventlet-0:0.33.1-7.el9ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-eventlet: Eventlet HTTP request smuggling"
    }
  ]
}

CVE-2025-58068 (GCVE-0-2025-58068)

Vulnerability from cvelistv5 – Published: 2025-08-29 21:12 – Updated: 2025-11-03 18:13

Title

Eventlet affected by HTTP request smuggling in unparsed trailers

Summary

Eventlet is a concurrent networking library for Python. Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to, bypass front-end security controls, launch targeted attacks against active site users, and poison web caches. This problem has been patched in Eventlet 0.40.3 by dropping trailers which is a breaking change if a backend behind eventlet.wsgi proxy requires trailers. A workaround involves not using eventlet.wsgi facing untrusted clients.

Severity ?

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/eventlet/eventlet/security/adv…	x_refsource_CONFIRM
	https://github.com/eventlet/eventlet/pull/1062	x_refsource_MISC
	https://github.com/eventlet/eventlet/commit/0bfeb…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	eventlet	eventlet	Affected: < 0.40.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58068",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-02T13:49:48.188360Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-02T13:51:35.797Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T18:13:48.690Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00003.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "eventlet",
          "vendor": "eventlet",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.40.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Eventlet is a concurrent networking library for Python. Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to, bypass front-end security controls, launch targeted attacks against active site users, and poison web caches. This problem has been patched in Eventlet 0.40.3 by dropping trailers which is a breaking change if a backend behind eventlet.wsgi proxy requires trailers. A workaround involves not using eventlet.wsgi facing untrusted clients."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-29T21:12:24.534Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/eventlet/eventlet/security/advisories/GHSA-hw6f-rjfj-j7j7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/eventlet/eventlet/security/advisories/GHSA-hw6f-rjfj-j7j7"
        },
        {
          "name": "https://github.com/eventlet/eventlet/pull/1062",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/eventlet/eventlet/pull/1062"
        },
        {
          "name": "https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb"
        }
      ],
      "source": {
        "advisory": "GHSA-hw6f-rjfj-j7j7",
        "discovery": "UNKNOWN"
      },
      "title": "Eventlet affected by HTTP request smuggling in unparsed trailers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58068",
    "datePublished": "2025-08-29T21:12:24.534Z",
    "dateReserved": "2025-08-22T14:30:32.223Z",
    "dateUpdated": "2025-11-03T18:13:48.690Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:1959

CVE-2025-58068 (GCVE-0-2025-58068)

Tags

Sightings

Nomenclature