PublicDateAtUSN: 2021-05-07 15:15:00 UTC
Candidate: CVE-2021-21419
PublicDate: 2021-05-07 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21419
 https://ubuntu.com/security/notices/USN-4956-1
Description:
 Eventlet is a concurrent networking library for Python. A websocket peer
 may exhaust memory on Eventlet side by sending very large websocket frames.
 Malicious peer may exhaust memory on Eventlet side by sending highly
 compressed data frame. A patch in version 0.31.0 restricts websocket frame
 to reasonable limits. As a workaround, restricting memory usage via OS
 limits would help against overall machine exhaustion, but there is no
 workaround to protect Eventlet process.
Ubuntu-Description:
Notes:
 leosilva> support for permessage-defalte extension or compression extension
 leosilva> was added by b7d2a251ad55e1c161aa6c8aa236db456c4c4a21 and it's not
 leosilva> present in versions of Bionic and xenial/esm-infra.
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988342
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L [5.3 MEDIUM]


Patches_python-eventlet:
 upstream: https://github.com/eventlet/eventlet/commit/1412f5e4125b4313f815778a1acb4d3336efcd07
upstream_python-eventlet: released (0.31.0)
precise/esm_python-eventlet: DNE
trusty_python-eventlet: ignored (out of standard support)
trusty/esm_python-eventlet: DNE
xenial_python-eventlet: ignored (out of standard support)
esm-infra/xenial_python-eventlet: not-affected (code not present)
bionic_python-eventlet: not-affected (code not present)
focal_python-eventlet: released (0.25.1-2ubuntu1.1)
groovy_python-eventlet: released (0.26.1-0ubuntu1.1)
hirsute_python-eventlet: released (0.30.0-0ubuntu1.1)
impish_python-eventlet: released (0.30.0-0ubuntu2)
jammy_python-eventlet: released (0.30.0-0ubuntu2)
devel_python-eventlet: released (0.30.0-0ubuntu2)