This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously
suppressed legitimate Truncated exceptions. This caused the stub
resolver to timeout instead of failing over to TCP when a legitimate
truncated response was received over UDP.

This release addresses the potential DoS issue discussed in the
"TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is
vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a
legitimate one on the UDP port dnspython is using for that query. In
this situation, dnspython might switch to querying another resolver or
give up entirely, possibly denying service for that resolution. This
release addresses the issue by adopting the recommended mitigation,
which is ignoring the bad packets and continuing to listen for a
legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual,
thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian
Wellington.

`v2.6.0`: dnspython 2.6.0

Compare Source

See What's New for details.

This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [dnspython](https://github.com/rthalley/dnspython) | minor | `==2.5.0` -> `==2.8.0` | --- ### Release Notes <details> <summary>rthalley/dnspython (dnspython)</summary> ### [`v2.8.0`](https://github.com/rthalley/dnspython/releases/tag/v2.8.0): dnspython 2.8.0 [Compare Source](https://github.com/rthalley/dnspython/compare/v2.7.0...v2.8.0) See [What's New](https://dnspython.readthedocs.io/en/stable/whatsnew.html) for details. The minimum supported version of Python is 3.10. My thanks to the many people who have contributed to this release. Also thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington. This release was published to PyPI using Trusted Publishing. ### [`v2.7.0`](https://github.com/rthalley/dnspython/releases/tag/v2.7.0): dnspython 2.7.0 [Compare Source](https://github.com/rthalley/dnspython/compare/v2.6.1...v2.7.0) See [What's New](https://dnspython.readthedocs.io/en/stable/whatsnew.html) for details. The minimum supported version of Python is 3.9. My thanks to the many people who have contributed to this release. Also thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington. ### [`v2.6.1`](https://github.com/rthalley/dnspython/releases/tag/v2.6.1): dnspython 2.6.1 [Compare Source](https://github.com/rthalley/dnspython/compare/v2.6.0...v2.6.1) See [What's New](https://dnspython.readthedocs.io/en/latest/whatsnew.html) for details. This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously suppressed legitimate Truncated exceptions. This caused the stub resolver to timeout instead of failing over to TCP when a legitimate truncated response was received over UDP. This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired. Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington. ### [`v2.6.0`](https://github.com/rthalley/dnspython/releases/tag/v2.6.0): dnspython 2.6.0 [Compare Source](https://github.com/rthalley/dnspython/compare/v2.5.0...v2.6.0) See [What's New](https://dnspython.readthedocs.io/en/latest/whatsnew.html) for details. This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired. Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

tommy added 1 commit

2025-09-23 01:03:00 +00:00