Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dnspython 2.6.0rc1 dns.query.udp() API change heads-up #913

Closed
rthalley opened this issue Feb 10, 2024 · 7 comments
Closed

Dnspython 2.6.0rc1 dns.query.udp() API change heads-up #913

rthalley opened this issue Feb 10, 2024 · 7 comments

Comments

@rthalley
Copy link

As part of addressing a potential resolution DoS, we had to add a new parameter to dns.query.udp(), "ignore_errors". Dnspython's stub resolver in 2.6.0 will pass True for this flag, so the monkeypatched version of dns.query.udp() in eventlet will need to be updated or resolutions will start failing when people install dnspython 2.6.0. I just released 2.6.0rc1, and will release the final version a week from now, so you can test with that. If you just fix the API, then you will be vulnerable to the potential DoS still, as the fix involves ignoring various errors in the receive loop instead of giving up. You can see the revised logic in dnspython's dns.query.receive_udp() method. Pinning eventlet to <2.6.0 would also be a mitigation, though again with the potential DoS.

@kelvin-j-li
Copy link
Contributor

Look forward to the eventlet release which will include the fix for CVE-2023-29483.

kelvin-j-li added a commit to kelvin-j-li/eventlet that referenced this issue Feb 14, 2024
kelvin-j-li added a commit to kelvin-j-li/eventlet that referenced this issue Feb 14, 2024
@4383
Copy link
Member

4383 commented Feb 16, 2024

@kelvin-j-li Will release a new eventlet version once your patch is merged, but please answer my question first => #916 (comment)

@rthalley
Copy link
Author

Dnspython 2.6.0 is live now. I have put up a "pinned" dnspython issue telling people using eventlet and dnspython that the eventlet team is working on a patch and to pin dnspython to < 2.6 in the meantime.

@rthalley
Copy link
Author

I had to do a 2.6.1 because the Tudoor CVE fix ate a legitimate Truncated exception too. I updated the sample eventlet code referred to above to include this change. Sorry about the froth!

@kelvin-j-li
Copy link
Contributor

@kelvin-j-li Will release a new eventlet version once your patch is merged, but please answer my question first => #916 (comment)

Hi @4383 ,
I posted my reply in #916 (comment)
thanks!

@4383
Copy link
Member

4383 commented Feb 19, 2024

The fix is now merged, let's close this issue

@4383 4383 closed this as completed Feb 19, 2024
@4383
Copy link
Member

4383 commented Feb 19, 2024

release is pending #919

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants