Closed rayliu0 closed 2 months ago
@rayliu0 Upgrade to latest versions of dnspyton and eventlet is breaking things and it will require an upgrade of gunicorn. I have therefore proposed a separate PR's https://github.com/cloudera/hue/pull/3796 and https://github.com/cloudera/hue/pull/3797 to bring in only Tudoor/DoS related fixes into Hue in the short term while we work to upgrade gunicorn.
@amitsrivastava Thx
Is there an existing issue for this?
Description
eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1 . Hue needs to upgrade two dependency package versions.
Steps To Reproduce
Hue needs to upgrade two dependency package versions. https://github.com/advisories/GHSA-3rq5-2g8h-59hc
Logs
No response
Hue version
4.11.0