-
Notifications
You must be signed in to change notification settings - Fork 322
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dnspython 2.6.0rc1 dns.query.udp() API change heads-up #913
Comments
|
Look forward to the eventlet release which will include the fix for CVE-2023-29483. |
…e heads-up eventlet#913 - used the new param 'ignore_errors'
|
@kelvin-j-li Will release a new eventlet version once your patch is merged, but please answer my question first => #916 (comment) |
|
Dnspython 2.6.0 is live now. I have put up a "pinned" dnspython issue telling people using eventlet and dnspython that the eventlet team is working on a patch and to pin dnspython to < 2.6 in the meantime. |
|
I had to do a 2.6.1 because the Tudoor CVE fix ate a legitimate Truncated exception too. I updated the sample eventlet code referred to above to include this change. Sorry about the froth! |
Hi @4383 , |
|
The fix is now merged, let's close this issue |
|
release is pending #919 |
As part of addressing a potential resolution DoS, we had to add a new parameter to dns.query.udp(), "ignore_errors". Dnspython's stub resolver in 2.6.0 will pass True for this flag, so the monkeypatched version of dns.query.udp() in eventlet will need to be updated or resolutions will start failing when people install dnspython 2.6.0. I just released 2.6.0rc1, and will release the final version a week from now, so you can test with that. If you just fix the API, then you will be vulnerable to the potential DoS still, as the fix involves ignoring various errors in the receive loop instead of giving up. You can see the revised logic in dnspython's dns.query.receive_udp() method. Pinning eventlet to <2.6.0 would also be a mitigation, though again with the potential DoS.
The text was updated successfully, but these errors were encountered: