Bug 1215469 (CVE-2023-41419)

Summary: VUL-0: CVE-2023-41419: python-gevent: http request smuggling
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: jzerebecki, mcepl, rfrohl, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/379114/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-41419:8.1:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2023-09-19 06:52:23 UTC 
CVE-2023-41419

https://github.com/gevent/gevent/commit/693181e8e109f1a91d1783cb06c758329553fc72


- Make ``gevent.pywsgi`` comply more closely with the HTTP specification
  for chunked transfer encoding. In particular, we are much stricter
  about trailers, and trailers that are invalid (too long or featuring
  disallowed characters) forcibly close the connection to the client
  *after* the results have been sent.

  Trailers otherwise continue to be ignored and are not available to the
  WSGI application.

  Previously, carefully crafted invalid trailers in chunked requests on
  keep-alive connections might appear as two requests to
  ``gevent.pywsgi``. Because this was handled exactly as a normal
  keep-alive connection with two requests, the WSGI application should
  handle it normally. However, if you were counting on some upstream
  server to filter incoming requests based on paths or header fields,
  and the upstream server simply passed trailers through without
  validating them, then this embedded second request would bypass those
  checks. (If the upstream server validated that the trailers meet the
  HTTP specification, this could not occur, because characters that are
  required in an HTTP request, like a space, are not allowed in
  trailers.) CVE-2023-41419 was reserved for this.

  Our thanks to the original reporters, Keran Mu
  (mkr22@mails.tsinghua.edu.cn) and Jianjun Chen
  (jianjun@tsinghua.edu.cn), from Tsinghua University and Zhongguancun
  Laboratory.
  See :issue:`1989`.
Comment 1 Matej Cepl 2023-09-20 12:51:20 UTC 
Upstream seems to be https://github.com/gevent/gevent/issues/1989
Comment 2 Matej Cepl 2023-09-20 12:55:50 UTC 
So, are these affected channels?

SUSE:ALP:Source:Standard:1.0
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
SUSE:SLE-15:Update
Comment 3 Marcus Meissner 2023-09-20 14:09:45 UTC 
as far as I see yes.
Comment 8 Matej Cepl 2023-09-29 20:53:04 UTC 
https://build.suse.de/request/show/308924
Comment 11 Maintenance Automation 2023-10-05 12:29:34 UTC 
SUSE-SU-2023:3975-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215469
CVE References: CVE-2023-41419
Sources used:
SUSE OpenStack Cloud 9 (src): python-gevent-1.3.5-3.3.1
SUSE OpenStack Cloud Crowbar 9 (src): python-gevent-1.3.5-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-10-09 12:28:57 UTC 
SUSE-SU-2023:4009-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215469
CVE References: CVE-2023-41419
Sources used:
SUSE OpenStack Cloud 8 (src): python-gevent-1.1.2-3.3.1
SUSE OpenStack Cloud Crowbar 8 (src): python-gevent-1.1.2-3.3.1
HPE Helion OpenStack 8 (src): python-gevent-1.1.2-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-10-17 08:30:10 UTC 
SUSE-SU-2023:4091-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215469
CVE References: CVE-2023-41419
Sources used:
SUSE Manager Server 4.2 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Enterprise Storage 7.1 (src): python-gevent-1.2.2-150000.5.3.1
SUSE CaaS Platform 4.0 (src): python-gevent-1.2.2-150000.5.3.1
Basesystem Module 15-SP4 (src): python-gevent-1.2.2-150000.5.3.1
Basesystem Module 15-SP5 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Manager Proxy 4.2 (src): python-gevent-1.2.2-150000.5.3.1
SUSE Manager Retail Branch Server 4.2 (src): python-gevent-1.2.2-150000.5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Robert Frohl 2024-06-05 07:54:10 UTC 
done, closing