2.6.0rc1

Posted on 10 February, 2024 at 06:00 PST by Dnspython Contributors

Dnspython 2.6.0rc1 is now available on PyPI.

This is the first release candidate for dnspython 2.6.0. See What’s New for details.

This release addresses the potential DoS issue discussed in the “TuDoor” paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.

We anticipate the final release in about a week.

Thank you to all the contributors to this release.

Dnspython 2.6.0 requires Python 3.8 or later. Python 3.8 goes into end-of-life state in October of 2024, and dnspython will drop support for it at that time and require 3.9 or later.