Two new security updates are available for Debian GNU/Linux 11 (Bullseye) LTS to address vulnerabilities in the python-eventlet and python-h2 packages. The first update, DLA-4289-1, fixes a vulnerability in eventlet that allows attackers to bypass front-end security controls and launch targeted attacks against active site users. The second update, DLA-4290-1, addresses an HTTP/2 request splitting vulnerability in python-h2 that enables attackers to manipulate request boundaries and bypass security controls.

[DLA 4289-1] python-eventlet security update
[DLA 4290-1] python-h2 security update

[SECURITY] [DLA 4289-1] python-eventlet security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4289-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thomas Goirand
September 02, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : python-eventlet
Version : 0.26.1-7+deb11u2
CVE ID : CVE-2025-58068
Debian Bug :

CVE-2025-58068
Eventlet is a concurrent networking library for Python. Eventlet WSGI
parser is vulnerable to HTTP Request Smuggling due to improper
handling of HTTP trailer sections. This vulnerability could enable
attackers to, bypass front-end security controls, launch targeted
attacks against active site users, and poison web caches.

For Debian 11 bullseye, this problem has been fixed in version
0.26.1-7+deb11u2.

We recommend that you upgrade your python-eventlet packages.

For the detailed security status of python-eventlet please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-eventlet

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4290-1] python-h2 security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4290-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
September 02, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : python-h2
Version : 4.0.0-3+deb11u1
CVE ID : CVE-2025-57804
Debian Bug : 1112348

A vulnerability has been discovered in python-h2, a Python HTTP/2
protocol implementation.

CVE-2025-57804

HTTP/2 request splitting vulnerability allows attackers to perform
request smuggling attacks by injecting CRLF characters into headers.
This occurs when servers downgrade HTTP/2 requests to HTTP/1.1
without properly validating header names/values, enabling attackers
to manipulate request boundaries and bypass security controls.

For Debian 11 bullseye, this problem has been fixed in version
4.0.0-3+deb11u1.

We recommend that you upgrade your python-h2 packages.

For the detailed security status of python-h2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-h2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS