Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential DoS via the Tudoor mechanism in eventlet and dnspython,Hue needs to upgrade two dependency package versions #3772

Closed
1 task done
rayliu0 opened this issue Jun 28, 2024 · 3 comments
Closed
1 task done

Potential DoS via the Tudoor mechanism in eventlet and dnspython,Hue needs to upgrade two dependency package versions #3772

rayliu0 opened this issue Jun 28, 2024 · 3 comments
Labels
BUG Issue type for reporting failure due to bug in functionality

Comments

@rayliu0
Copy link

rayliu0 commented Jun 28, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Description

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1 . Hue needs to upgrade two dependency package versions.

Steps To Reproduce

Hue needs to upgrade two dependency package versions.
GHSA-3rq5-2g8h-59hc

Logs

No response

Hue version

4.11.0
@rayliu0 rayliu0 added the BUG Issue type for reporting failure due to bug in functionality label Jun 28, 2024
rayliu0 pushed a commit to rayliu0/hue that referenced this issue Jun 28, 2024
[cve] Bump dnspython package to 2.6.1 and eventlet package to 0.35.2 [c…
ae0cc43 
…loudera#3772]
@rayliu0 rayliu0 mentioned this issue Jun 28, 2024
Closed
@rayliu0
Copy link
Author

rayliu0 commented Jun 28, 2024

#3773

@amitsrivastava
Copy link
Collaborator

amitsrivastava commented Jul 22, 2024
edited
Loading

@rayliu0 Upgrade to latest versions of dnspyton and eventlet is breaking things and it will require an upgrade of gunicorn. I have therefore proposed a separate PR's #3796 and #3797 to bring in only Tudoor/DoS related fixes into Hue in the short term while we work to upgrade gunicorn.

@rayliu0
Copy link
Author

rayliu0 commented Jul 24, 2024

@amitsrivastava Thx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BUG Issue type for reporting failure due to bug in functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@amitsrivastava @Harshg999 @rayliu0