Bug 2274520 (CVE-2023-29483) - CVE-2023-29483 dnspython: denial of service in stub resolver
Summary: CVE-2023-29483 dnspython: denial of service in stub resolver
Keywords:
Status: NEW
Alias: CVE-2023-29483
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2274683 2274684 2274521 2274679 2274681 2274682 2274685
Blocks: 2274530
TreeView+ depends on / blocked
 
Reported: 2024-04-11 13:14 UTC by ybuenos
Modified: 2025-05-15 08:28 UTC (History)
45 users (show)

Fixed In Version: dnspython 2.6.0
Clone Of:
Environment:
Last Closed: 2024-04-11 18:43:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0045 0 None None None 2024-06-27 13:00:53 UTC
Red Hat Product Errata RHSA-2024:3275 0 None None None 2024-05-22 11:41:21 UTC
Red Hat Product Errata RHSA-2024:3483 0 None None None 2024-05-30 02:14:15 UTC
Red Hat Product Errata RHSA-2024:4699 0 None None None 2024-07-25 14:16:18 UTC
Red Hat Product Errata RHSA-2024:4846 0 None None None 2024-07-31 14:32:42 UTC
Red Hat Product Errata RHSA-2024:4960 0 None None None 2024-08-07 10:52:11 UTC
Red Hat Product Errata RHSA-2024:9423 0 None None None 2024-11-12 10:57:12 UTC

Description ybuenos 2024-04-11 13:14:43 UTC 
The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython happens to be using for that single query.
Comment 1 ybuenos 2024-04-11 13:14:57 UTC 
Created python-dnslib tracking bugs for this issue:

Affects: fedora-all [bug 2274521]
Comment 2 Pedro Sampaio 2024-04-11 18:43:22 UTC 
opened by mistake. closing.
Comment 4 TEJ RATHI 2024-04-12 07:23:57 UTC 
References:

https://www.dnspython.org/news/2.6.0rc1/
https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3 (v2.6.0rc1)
https://github.com/rthalley/dnspython/commit/e093299a49967696b1c58b68e4767de5031a3e46 (v2.6.0)
https://github.com/rthalley/dnspython/issues/1051#issuecomment-1949383928

https://github.com/eventlet/eventlet/issues/913	
https://github.com/eventlet/eventlet/releases/tag/v0.35.2
Comment 6 TEJ RATHI 2024-04-12 07:44:35 UTC 
Created 2ping tracking bugs for this issue:

Affects: fedora-all [bug 2274682]


Created python-b4 tracking bugs for this issue:

Affects: epel-all [bug 2274681]


Created python-dns tracking bugs for this issue:

Affects: fedora-all [bug 2274685]


Created python3.11-dns-epel tracking bugs for this issue:

Affects: epel-all [bug 2274683]


Created python39-dns tracking bugs for this issue:

Affects: epel-all [bug 2274684]
Comment 10 Michel Lind 2024-04-18 02:46:58 UTC 
Why is the python-b4 bug cut? As you can see it just BuildRequires and Requires python3dist(dnspython) - it does not bundle it. Fixing dnspython would be sufficient

❯ fedrq pkgs --src python-b4 -F requires
python3-devel
python3dist(packaging)
pyproject-rpm-macros
python3dist(wheel)
python3dist(pytest)
gnupg2
python3dist(pip) >= 19
(python3dist(tomli) if python3-devel < 3.11)
python3dist(setuptools) >= 40.8
(python3dist(requests) < 3~~ with python3dist(requests) >= 2.24)
(python3dist(dkimpy) < 2~~ with python3dist(dkimpy) >= 1)
(python3dist(dnspython) < 3~~ with python3dist(dnspython) >= 2.1)
(python3dist(git-filter-repo) < 3~~ with python3dist(git-filter-repo) >= 2.30)
(python3dist(patatt) < 2~~ with python3dist(patatt) >= 0.6)

❯ fedrq pkgs b4 -F requires
/usr/bin/python3
python(abi) = 3.12
(python3.12dist(requests) < 3~~ with python3.12dist(requests) >= 2.24)
(python3.12dist(dkimpy) < 2~~ with python3.12dist(dkimpy) >= 1)
(python3.12dist(dnspython) < 3~~ with python3.12dist(dnspython) >= 2.1)
(python3.12dist(git-filter-repo) < 3~~ with python3.12dist(git-filter-repo) >= 2.30)
(python3.12dist(patatt) < 2~~ with python3.12dist(patatt) >= 0.6)
Comment 11 errata-xmlrpc 2024-05-22 11:41:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3275 https://access.redhat.com/errata/RHSA-2024:3275
Comment 12 errata-xmlrpc 2024-05-30 02:14:12 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2024:3483 https://access.redhat.com/errata/RHSA-2024:3483
Comment 13 errata-xmlrpc 2024-06-27 13:00:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0045 https://access.redhat.com/errata/RHSA-2024:0045
Comment 14 errata-xmlrpc 2024-07-25 14:16:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4699 https://access.redhat.com/errata/RHSA-2024:4699
Comment 15 errata-xmlrpc 2024-07-31 14:32:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:4846 https://access.redhat.com/errata/RHSA-2024:4846
Comment 16 Selva 2024-08-07 07:49:11 UTC 
Please update RHSA for RHEL 8.8 EUS. THanks
Comment 17 errata-xmlrpc 2024-08-07 10:52:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4960 https://access.redhat.com/errata/RHSA-2024:4960
Comment 21 errata-xmlrpc 2024-11-12 10:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9423 https://access.redhat.com/errata/RHSA-2024:9423
Note You need to log in before you can comment on or make changes to this bug.