This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously
suppressed legitimate Truncated exceptions. This caused the stub
resolver to timeout instead of failing over to TCP when a legitimate
truncated response was received over UDP.
This release addresses the potential DoS issue discussed in the
"TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is
vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a
legitimate one on the UDP port dnspython is using for that query. In
this situation, dnspython might switch to querying another resolver or
give up entirely, possibly denying service for that resolution. This
release addresses the issue by adopting the recommended mitigation,
which is ignoring the bad packets and continuing to listen for a
legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual,
thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian
Wellington.
This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.
The Tudoor fix ate legitimate Truncated exceptions, preventing the resolver from
failing over to TCP and causing the query to timeout #1053.
2.6.0
As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython
stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a legitimate one on the
UDP port dnspython is using for that query.
This release addresses the issue by adopting the recommended mitigation, which is
ignoring the bad packets and continuing to listen for a legitimate response until
the timeout for the query has expired.
Added support for the NSID EDNS option.
Dnspython now looks for version metadata for optional packages and will not
use them if they are too old. This prevents possible exceptions when a
feature like DoH is not desired in dnspython, but an old httpx is installed
along with dnspython for some other purpose.
The DoHNameserver class now allows GET to be used instead of the default POST,
and also passes source and source_port correctly to the underlying query
methods.
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes
Fixed issue where InsecureRequestWarning was emitted for HTTPS connections when using Emscripten. (#3331)
Fixed HTTPConnectionPool.urlopen to stop automatically casting non-proxy headers to HTTPHeaderDict. This change was premature as it did not apply to proxy headers and HTTPHeaderDict does not handle byte header values correctly yet. (#3343)
Changed ProtocolError to InvalidChunkLength when response terminates before the chunk length is sent. (#2860)
Changed ProtocolError to be more verbose on incomplete reads with excess content. (#3261)
Fixed issue where InsecureRequestWarning was emitted for HTTPS connections when using Emscripten. ([#3331](https://github.com/urllib3/urllib3/issues/3331) <https://github.com/urllib3/urllib3/issues/3331>__)
Fixed HTTPConnectionPool.urlopen to stop automatically casting non-proxy headers to HTTPHeaderDict. This change was premature as it did not apply to proxy headers and HTTPHeaderDict does not handle byte header values correctly yet. ([#3343](https://github.com/urllib3/urllib3/issues/3343) <https://github.com/urllib3/urllib3/issues/3343>__)
Changed InvalidChunkLength to ProtocolError when response terminates before the chunk length is sent. ([#2860](https://github.com/urllib3/urllib3/issues/2860) <https://github.com/urllib3/urllib3/issues/2860>__)
Changed ProtocolError to be more verbose on incomplete reads with excess content. ([#3261](https://github.com/urllib3/urllib3/issues/3261) <https://github.com/urllib3/urllib3/issues/3261>__)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the dependencies group in /.config with 4 updates: pipdeptree, dnspython, mkdocs-material and urllib3.
Updates
pipdeptreefrom 2.13.2 to 2.15.1Release notes
Sourced from pipdeptree's releases.
Commits
bc804e3Have --license work with --reverse (#321)e8a7801Have --license and --reverse options in the "render" argument group (#320)c6de3c3[pre-commit.ci] pre-commit autoupdate (#319)134ca6eImplement --license option (#318)312818a[pre-commit.ci] pre-commit autoupdate (#317)9d8f2b7[pre-commit.ci] pre-commit autoupdate (#316)1cd3453[pre-commit.ci] pre-commit autoupdate (#315)75389a0[pre-commit.ci] pre-commit autoupdate (#314)d317f9b[pre-commit.ci] pre-commit autoupdate (#313)Updates
dnspythonfrom 2.5.0 to 2.6.1Release notes
Sourced from dnspython's releases.
Changelog
Sourced from dnspython's changelog.
Commits
0a742b9update CI0ea5ad0The Tudoor fix should not eat valid Truncated exceptions #1053 (#1054)f12d3982.6.1 version prepcecb853Further improve CVE fix coverage to 100% for sync and async.7952e31test IgnoreErrorse093299For the Tudoor fix, we also need the UDP nameserver to ignore_unexpected.3af9f782.6.0 versioningca63d95Require cryptography >=41 instead of 42.902cbf3Create CODE_OF_CONDUCT.mded9795fgithub contributing and pull request templateUpdates
mkdocs-materialfrom 9.5.9 to 9.5.11Release notes
Sourced from mkdocs-material's releases.
Changelog
Sourced from mkdocs-material's changelog.
... (truncated)
Commits
10a97aaUpdated Insiders changelogbe21a6fPrepare 9.5.11 releasef26cfaaDocumentation23f1886Removed manually added instant previews in light of new extension59f4147Updated Insiders changeloga1f4084Updated distribution filesb24e494Updated Finnish translation (#6801)740552aDocumentation (#6803)b3e8f09Updated Premium sponsorsc8eea6bMerge branch 'master' of github.com:squidfunk/mkdocs-materialUpdates
urllib3from 2.2.0 to 2.2.1Release notes
Sourced from urllib3's releases.
Changelog
Sourced from urllib3's changelog.
Commits
54d6edfRelease 2.2.149b2ddaStop casting request headers to HTTPHeaderDict (#3344)e22f651Fix docstring of retries parameterfa54179Distinguish between truncated and excess content in response (#3273)cfe52f9Fix InsecureRequestWarning for HTTPS Emscripten requests (#3333)25155d7Ensure no remote connections during testing (#3328)12f9233Bump cryptography to 42.0.2 and PyOpenSSL to 24.0.0 (#3340)9929d3cAdd nox session to start local Pyodide consoleaa8d3ddFix ssl_version tests for upcoming migration to pytest 823f2287Remove TODO about informational responses (#3319)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show