Vulnerability CVE-2023-29483: Information

Description

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-29483
Published: April 11, 2024
Modified: April 12, 2024

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
python3-module-dnssisyphus2.6.1-alt12.6.1-alt1ALT-PU-2024-3293-4341811Fixed
python3-module-dnssisyphus_e2k2.6.1-alt12.6.1-alt1ALT-PU-2024-3380-1-Fixed
python3-module-dnssisyphus_riscv642.6.1-alt12.6.1-alt1ALT-PU-2024-3817-1-Fixed
python3-module-dnssisyphus_loongarch642.6.1-alt12.6.1-alt1ALT-PU-2024-3388-1-Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.dnspython.org/
    https://github.com/rthalley/dnspython/releases/tag/v2.6.0
      https://github.com/rthalley/dnspython/issues/1045
        https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713
          https://github.com/eventlet/eventlet/issues/913
            https://github.com/eventlet/eventlet/releases/tag/v0.35.2
              VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
              Version: v24.4.2
              Back to top