This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously
suppressed legitimate Truncated exceptions. This caused the stub
resolver to timeout instead of failing over to TCP when a legitimate
truncated response was received over UDP.
This release addresses the potential DoS issue discussed in the
"TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is
vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a
legitimate one on the UDP port dnspython is using for that query. In
this situation, dnspython might switch to querying another resolver or
give up entirely, possibly denying service for that resolution. This
release addresses the issue by adopting the recommended mitigation,
which is ignoring the bad packets and continuing to listen for a
legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual,
thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian
Wellington.
This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.
The Tudoor fix ate legitimate Truncated exceptions, preventing the resolver from
failing over to TCP and causing the query to timeout #1053.
2.6.0
As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython
stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a legitimate one on the
UDP port dnspython is using for that query.
This release addresses the issue by adopting the recommended mitigation, which is
ignoring the bad packets and continuing to listen for a legitimate response until
the timeout for the query has expired.
Added support for the NSID EDNS option.
Dnspython now looks for version metadata for optional packages and will not
use them if they are too old. This prevents possible exceptions when a
feature like DoH is not desired in dnspython, but an old httpx is installed
along with dnspython for some other purpose.
The DoHNameserver class now allows GET to be used instead of the default POST,
and also passes source and source_port correctly to the underlying query
methods.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Vyxal/VyxalBot2/network/alerts).
Bumps dnspython from 2.5.0 to 2.6.1.
Release notes
Sourced from dnspython's releases.
Changelog
Sourced from dnspython's changelog.
Commits
0a742b9
update CI0ea5ad0
The Tudoor fix should not eat valid Truncated exceptions #1053 (#1054)f12d398
2.6.1 version prepcecb853
Further improve CVE fix coverage to 100% for sync and async.7952e31
test IgnoreErrorse093299
For the Tudoor fix, we also need the UDP nameserver to ignore_unexpected.3af9f78
2.6.0 versioningca63d95
Require cryptography >=41 instead of 42.902cbf3
Create CODE_OF_CONDUCT.mded9795f
github contributing and pull request templateDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show