Bug 2274520 (CVE-2023-29483)

Summary: CVE-2023-29483 dnspython: denial of service in stub resolver
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, brking, crizzo, dfreiber, drow, eglynn, epacific, haoli, hkataria, jajackso, jburrell, jcammara, jhardy, jjoyce, jmitchel, jneedle, jobarker, jschluet, kegrant, koliveir, kshier, kyoshida, lhh, lsvaty, mabashia, mburns, mgarciac, michel, omaciel, pbraun, pgrist, psampaio, selvakumar_eswaran, shvarugh, sidakwo, simaishi, smcdonal, stcannon, teagle, tfister, thavo, vkumar, yguenane, zsadeh
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dnspython 2.6.0 Doc Type: If docs needed, set a value
Doc Text:
The dnspython stub resolver is vulnerable to a denial of service (DoS) risk if an attacker sends a malicious response forged with the correct address and port before a legitimate one arrives on the UDP port used by dnspython for the query. In such cases, dnspython could either switch to another resolver or abandon the query altogether, potentially leading to service denial for that resolution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-04-11 18:43:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2274683, 2274684, 2274521, 2274679, 2274681, 2274682, 2274685    
Bug Blocks: 2274530    

Description ybuenos 2024-04-11 13:14:43 UTC 
The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython happens to be using for that single query.
Comment 1 ybuenos 2024-04-11 13:14:57 UTC 
Created python-dnslib tracking bugs for this issue:

Affects: fedora-all [bug 2274521]
Comment 2 Pedro Sampaio 2024-04-11 18:43:22 UTC 
opened by mistake. closing.
Comment 4 TEJ RATHI 2024-04-12 07:23:57 UTC 
References:

https://www.dnspython.org/news/2.6.0rc1/
https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3 (v2.6.0rc1)
https://github.com/rthalley/dnspython/commit/e093299a49967696b1c58b68e4767de5031a3e46 (v2.6.0)
https://github.com/rthalley/dnspython/issues/1051#issuecomment-1949383928

https://github.com/eventlet/eventlet/issues/913	
https://github.com/eventlet/eventlet/releases/tag/v0.35.2
Comment 6 TEJ RATHI 2024-04-12 07:44:35 UTC 
Created 2ping tracking bugs for this issue:

Affects: fedora-all [bug 2274682]


Created python-b4 tracking bugs for this issue:

Affects: epel-all [bug 2274681]


Created python-dns tracking bugs for this issue:

Affects: fedora-all [bug 2274685]


Created python3.11-dns-epel tracking bugs for this issue:

Affects: epel-all [bug 2274683]


Created python39-dns tracking bugs for this issue:

Affects: epel-all [bug 2274684]
Comment 10 Michel Lind 2024-04-18 02:46:58 UTC 
Why is the python-b4 bug cut? As you can see it just BuildRequires and Requires python3dist(dnspython) - it does not bundle it. Fixing dnspython would be sufficient

❯ fedrq pkgs --src python-b4 -F requires
python3-devel
python3dist(packaging)
pyproject-rpm-macros
python3dist(wheel)
python3dist(pytest)
gnupg2
python3dist(pip) >= 19
(python3dist(tomli) if python3-devel < 3.11)
python3dist(setuptools) >= 40.8
(python3dist(requests) < 3~~ with python3dist(requests) >= 2.24)
(python3dist(dkimpy) < 2~~ with python3dist(dkimpy) >= 1)
(python3dist(dnspython) < 3~~ with python3dist(dnspython) >= 2.1)
(python3dist(git-filter-repo) < 3~~ with python3dist(git-filter-repo) >= 2.30)
(python3dist(patatt) < 2~~ with python3dist(patatt) >= 0.6)

❯ fedrq pkgs b4 -F requires
/usr/bin/python3
python(abi) = 3.12
(python3.12dist(requests) < 3~~ with python3.12dist(requests) >= 2.24)
(python3.12dist(dkimpy) < 2~~ with python3.12dist(dkimpy) >= 1)
(python3.12dist(dnspython) < 3~~ with python3.12dist(dnspython) >= 2.1)
(python3.12dist(git-filter-repo) < 3~~ with python3.12dist(git-filter-repo) >= 2.30)
(python3.12dist(patatt) < 2~~ with python3.12dist(patatt) >= 0.6)
Comment 11 errata-xmlrpc 2024-05-22 11:41:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3275 https://access.redhat.com/errata/RHSA-2024:3275
Comment 12 errata-xmlrpc 2024-05-30 02:14:12 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2024:3483 https://access.redhat.com/errata/RHSA-2024:3483
Comment 13 errata-xmlrpc 2024-06-27 13:00:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0045 https://access.redhat.com/errata/RHSA-2024:0045
Comment 14 errata-xmlrpc 2024-07-25 14:16:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4699 https://access.redhat.com/errata/RHSA-2024:4699
Comment 15 errata-xmlrpc 2024-07-31 14:32:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:4846 https://access.redhat.com/errata/RHSA-2024:4846
Comment 16 Selva 2024-08-07 07:49:11 UTC 
Please update RHSA for RHEL 8.8 EUS. THanks
Comment 17 errata-xmlrpc 2024-08-07 10:52:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4960 https://access.redhat.com/errata/RHSA-2024:4960
Comment 21 errata-xmlrpc 2024-11-12 10:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9423 https://access.redhat.com/errata/RHSA-2024:9423