CVE-2023-29483

Advisory

Dnspython affected versions are vulnerable to a DoS vulnerability highlighted in the "TuDoor" paper, where spoofed DNS responses could disrupt service. The update prevents denial of service by ignoring malicious packets, allowing the resolver to wait for valid responses until a query's timeout. This mitigation ensures continued service despite attempted attacks, enhancing the resolver's reliability and security.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

See [What's New](https://dnspython.readthedocs.io/en/latest/whatsnew.html) for details.

This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

Resources

• https://github.com/rthalley/dnspython/commit/0ea5ad0a4583e1f519b9bcc67cfac381230d9cf2
• https://github.com/rthalley/dnspython/pull/1054
• https://github.com/rthalley/dnspython/issues/1045
• https://lixiang521.com/publication/oakland24/sp24spring-tudoor-li.pdf
• https://pypi.org/project/dnspython
• https://data.safetycli.com/changelogs/dnspython/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29483