search

cloudera / hue

Open source SQL Query Assistant service for Databases/Warehouses
https://cloudera.com
Apache License 2.0
1.16k stars 364 forks source link

Potential DoS via the Tudoor mechanism in eventlet and dnspython,Hue needs to upgrade two dependency package versions #3772

Closed rayliu0 closed 2 months ago

rayliu0 commented 3 months ago

Is there an existing issue for this?

Description

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1 . Hue needs to upgrade two dependency package versions.

Steps To Reproduce

Hue needs to upgrade two dependency package versions. https://github.com/advisories/GHSA-3rq5-2g8h-59hc

Logs

No response

Hue version

4.11.0

rayliu0 commented 3 months ago

https://github.com/cloudera/hue/pull/3773

amitsrivastava commented 2 months ago

@rayliu0 Upgrade to latest versions of dnspyton and eventlet is breaking things and it will require an upgrade of gunicorn. I have therefore proposed a separate PR's https://github.com/cloudera/hue/pull/3796 and https://github.com/cloudera/hue/pull/3797 to bring in only Tudoor/DoS related fixes into Hue in the short term while we work to upgrade gunicorn.

rayliu0 commented 2 months ago

@amitsrivastava Thx