Bug 2274520 (CVE-2023-29483) - CVE-2023-29483 dnspython: denial of service in stub resolver
Summary: CVE-2023-29483 dnspython: denial of service in stub resolver
Keywords:
Status: NEW
Alias: CVE-2023-29483
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2274679 2274682 2274683 2274684 2274521 2274681 2274685
Blocks: 2274530
TreeView+ depends on / blocked
 
Reported: 2024-04-11 13:14 UTC by ybuenos
Modified: 2024-05-22 11:41 UTC (History)
33 users (show)

Fixed In Version: dnspython 2.6.0
Doc Type: If docs needed, set a value
Doc Text:
The dnspython stub resolver is vulnerable to a denial of service (DoS) risk if an attacker sends a malicious response forged with the correct address and port before a legitimate one arrives on the UDP port used by dnspython for the query. In such cases, dnspython could either switch to another resolver or abandon the query altogether, potentially leading to service denial for that resolution.
Clone Of:
Environment:
Last Closed: 2024-04-11 18:43:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:3275 0 None None None 2024-05-22 11:41:21 UTC

Description ybuenos 2024-04-11 13:14:43 UTC 
The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython happens to be using for that single query.
Comment 1 ybuenos 2024-04-11 13:14:57 UTC 
Created python-dnslib tracking bugs for this issue:

Affects: fedora-all [bug 2274521]
Comment 2 Pedro Sampaio 2024-04-11 18:43:22 UTC 
opened by mistake. closing.
Comment 4 TEJ RATHI 2024-04-12 07:23:57 UTC 
References:

https://www.dnspython.org/news/2.6.0rc1/
https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3 (v2.6.0rc1)
https://github.com/rthalley/dnspython/commit/e093299a49967696b1c58b68e4767de5031a3e46 (v2.6.0)
https://github.com/rthalley/dnspython/issues/1051#issuecomment-1949383928

https://github.com/eventlet/eventlet/issues/913	
https://github.com/eventlet/eventlet/releases/tag/v0.35.2
Comment 6 TEJ RATHI 2024-04-12 07:44:35 UTC 
Created 2ping tracking bugs for this issue:

Affects: fedora-all [bug 2274682]


Created python-b4 tracking bugs for this issue:

Affects: epel-all [bug 2274681]


Created python-dns tracking bugs for this issue:

Affects: fedora-all [bug 2274685]


Created python3.11-dns-epel tracking bugs for this issue:

Affects: epel-all [bug 2274683]


Created python39-dns tracking bugs for this issue:

Affects: epel-all [bug 2274684]
Comment 10 Michel Lind 2024-04-18 02:46:58 UTC 
Why is the python-b4 bug cut? As you can see it just BuildRequires and Requires python3dist(dnspython) - it does not bundle it. Fixing dnspython would be sufficient

❯ fedrq pkgs --src python-b4 -F requires
python3-devel
python3dist(packaging)
pyproject-rpm-macros
python3dist(wheel)
python3dist(pytest)
gnupg2
python3dist(pip) >= 19
(python3dist(tomli) if python3-devel < 3.11)
python3dist(setuptools) >= 40.8
(python3dist(requests) < 3~~ with python3dist(requests) >= 2.24)
(python3dist(dkimpy) < 2~~ with python3dist(dkimpy) >= 1)
(python3dist(dnspython) < 3~~ with python3dist(dnspython) >= 2.1)
(python3dist(git-filter-repo) < 3~~ with python3dist(git-filter-repo) >= 2.30)
(python3dist(patatt) < 2~~ with python3dist(patatt) >= 0.6)

❯ fedrq pkgs b4 -F requires
/usr/bin/python3
python(abi) = 3.12
(python3.12dist(requests) < 3~~ with python3.12dist(requests) >= 2.24)
(python3.12dist(dkimpy) < 2~~ with python3.12dist(dkimpy) >= 1)
(python3.12dist(dnspython) < 3~~ with python3.12dist(dnspython) >= 2.1)
(python3.12dist(git-filter-repo) < 3~~ with python3.12dist(git-filter-repo) >= 2.30)
(python3.12dist(patatt) < 2~~ with python3.12dist(patatt) >= 0.6)
Comment 11 errata-xmlrpc 2024-05-22 11:41:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3275 https://access.redhat.com/errata/RHSA-2024:3275
Note You need to log in before you can comment on or make changes to this bug.