Workflow

PyPi: Eventlet

CVE-2023-29483

Transitive

Safety vulnerability ID: 66927

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Apr 11, 2024 Updated at Dec 13, 2024
Scan your Python projects for vulnerabilities →

Advisory

Eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet.
NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

Affected package

eventlet

Latest version: 0.38.2

Highly concurrent networking library

Affected versions

Fixed versions

Vulnerability changelog

======

* [fix] Fix tool.setuptools/packages list https://github.com/eventlet/eventlet/pull/921
* [security] Dnspython 2.6.1 - Address DoS via the Tudoor mechanism (CVE-2023-29483) https://github.com/eventlet/eventlet/pull/916
* [doc] add asyncio into the doc hub page https://github.com/eventlet/eventlet/pull/918
* [clean] clean obsolete python 2 code from the ssl module https://github.com/eventlet/eventlet/pull/915
* [fix] Add get_server_info to db_pool.py https://github.com/eventlet/eventlet/pull/324
* [fix] wsgi: Handle Timeouts from applications https://github.com/eventlet/eventlet/pull/911
* [fix] shrinks window before connecting https://github.com/eventlet/eventlet/pull/905

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application