2.6.0

Posted on 16 February, 2024 at 12:15 PST by Dnspython Contributors

Dnspython 2.6.0 is now available on PyPI.

This release addresses the potential DoS issue discussed in the “TuDoor” paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.

Dnspython 2.6.0 requires Python 3.8 or later. Python 3.8 goes into end-of-life state in October of 2024, and dnspython will drop support for it at that time and require 3.9 or later.