From 7b86e531691808665f119fba4749372a7e45beb5afe5935961febc33e2f376b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mark=C3=A9ta=20Machov=C3=A1?= Date: Thu, 20 Jun 2024 13:23:40 +0000 Subject: [PATCH] =?UTF-8?q?-=20Update=20to=20version=202.6.1=20=20=20*=20T?= =?UTF-8?q?he=20Tudoor=20fix=20ate=20legitimate=20Truncated=20exceptions,?= =?UTF-8?q?=20preventing=20=20=20=20=20the=20resolver=20from=20failing=20o?= =?UTF-8?q?ver=20to=20TCP=20and=20causing=20the=20query=20to=20=20=20=20?= =?UTF-8?q?=20timeout.=20-=20Update=20to=20version=202.6.0=20=20=20*=20As?= =?UTF-8?q?=20mentioned=20in=20the=20=E2=80=9CTuDoor=E2=80=9D=20paper=20an?= =?UTF-8?q?d=20the=20associated=20=20=20=20=20CVE-2023-29483,=20the=20dnsp?= =?UTF-8?q?ython=20stub=20resolver=20is=20vulnerable=20to=20a=20=20=20=20?= =?UTF-8?q?=20potential=20DoS=20if=20a=20bad-in-some-way=20response=20from?= =?UTF-8?q?=20the=20right=20=20=20=20=20address=20and=20port=20forged=20by?= =?UTF-8?q?=20an=20attacker=20arrives=20before=20a=20=20=20=20=20legitimat?= =?UTF-8?q?e=20one=20on=20the=20UDP=20port=20dnspython=20is=20using=20for?= =?UTF-8?q?=20that=20=20=20=20=20query.=20=20=20=20=20This=20release=20add?= =?UTF-8?q?resses=20the=20issue=20by=20adopting=20the=20recommended=20=20?= =?UTF-8?q?=20=20=20mitigation,=20which=20is=20ignoring=20the=20bad=20pack?= =?UTF-8?q?ets=20and=20continuing=20to=20=20=20=20=20listen=20for=20a=20le?= =?UTF-8?q?gitimate=20response=20until=20the=20timeout=20for=20the=20=20?= =?UTF-8?q?=20=20=20query=20has=20expired.=20=20=20*=20Added=20support=20f?= =?UTF-8?q?or=20the=20NSID=20EDNS=20option.=20=20=20*=20Dnspython=20now=20?= =?UTF-8?q?looks=20for=20version=20metadata=20for=20optional=20packages=20?= =?UTF-8?q?=20=20=20=20and=20will=20not=20use=20them=20if=20they=20are=20t?= =?UTF-8?q?oo=20old.=20This=20prevents=20=20=20=20=20possible=20exceptions?= =?UTF-8?q?=20when=20a=20feature=20like=20DoH=20is=20not=20desired=20in=20?= =?UTF-8?q?=20=20=20=20dnspython,=20but=20an=20old=20httpx=20is=20installe?= =?UTF-8?q?d=20along=20with=20=20=20=20=20dnspython=20for=20some=20other?= =?UTF-8?q?=20purpose.=20=20=20*=20The=20DoHNameserver=20class=20now=20all?= =?UTF-8?q?ows=20GET=20to=20be=20used=20instead=20of=20=20=20=20=20the=20d?= =?UTF-8?q?efault=20POST,=20and=20also=20passes=20source=20and=20source=5F?= =?UTF-8?q?port=20=20=20=20=20correctly=20to=20the=20underlying=20query=20?= =?UTF-8?q?methods.=20-=20Update=20to=20version=202.5.0=20=20=20*=20Dnspyt?= =?UTF-8?q?hon=20now=20uses=20hatchling=20for=20builds.=20=20=20*=20Cython?= =?UTF-8?q?=20is=20no=20longer=20supported=20due=20to=20various=20typing?= =?UTF-8?q?=20issues.=20=20=20*=20Dnspython=20now=20explicitly=20canonical?= =?UTF-8?q?izes=20IPv4=20and=20IPv6=20addresses.=20=20=20=20=20Previously?= =?UTF-8?q?=20it=20was=20possible=20for=20non-canonical=20IPv6=20forms=20t?= =?UTF-8?q?o=20be=20=20=20=20=20stored=20in=20a=20AAAA=20address,=20which?= =?UTF-8?q?=20would=20work=20correctly=20but?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-dnspython?expand=0&rev=76 --- dnspython-2.4.2.tar.gz | 3 --- dnspython-2.6.1.tar.gz | 3 +++ python-dnspython.changes | 54 ++++++++++++++++++++++++++++++++++++++++ python-dnspython.spec | 7 +++--- 4 files changed, 61 insertions(+), 6 deletions(-) delete mode 100644 dnspython-2.4.2.tar.gz create mode 100644 dnspython-2.6.1.tar.gz diff --git a/dnspython-2.4.2.tar.gz b/dnspython-2.4.2.tar.gz deleted file mode 100644 index b9529d6..0000000 --- a/dnspython-2.4.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8dcfae8c7460a2f84b4072e26f1c9f4101ca20c071649cb7c34e8b6a93d58984 -size 328126 diff --git a/dnspython-2.6.1.tar.gz b/dnspython-2.6.1.tar.gz new file mode 100644 index 0000000..0f8199e --- /dev/null +++ b/dnspython-2.6.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e8f0f9c23a7b7cb99ded64e6c3a6f3e701d78f50c55e002b839dea7225cff7cc +size 332727 diff --git a/python-dnspython.changes b/python-dnspython.changes index c608dcd..8159e5a 100644 --- a/python-dnspython.changes +++ b/python-dnspython.changes @@ -1,3 +1,57 @@ +------------------------------------------------------------------- +Thu Jun 20 12:26:09 UTC 2024 - Martin Hauke + +- Update to version 2.6.1 + * The Tudoor fix ate legitimate Truncated exceptions, preventing + the resolver from failing over to TCP and causing the query to + timeout. +- Update to version 2.6.0 + * As mentioned in the “TuDoor” paper and the associated + CVE-2023-29483, the dnspython stub resolver is vulnerable to a + potential DoS if a bad-in-some-way response from the right + address and port forged by an attacker arrives before a + legitimate one on the UDP port dnspython is using for that + query. + This release addresses the issue by adopting the recommended + mitigation, which is ignoring the bad packets and continuing to + listen for a legitimate response until the timeout for the + query has expired. + * Added support for the NSID EDNS option. + * Dnspython now looks for version metadata for optional packages + and will not use them if they are too old. This prevents + possible exceptions when a feature like DoH is not desired in + dnspython, but an old httpx is installed along with + dnspython for some other purpose. + * The DoHNameserver class now allows GET to be used instead of + the default POST, and also passes source and source_port + correctly to the underlying query methods. +- Update to version 2.5.0 + * Dnspython now uses hatchling for builds. + * Cython is no longer supported due to various typing issues. + * Dnspython now explicitly canonicalizes IPv4 and IPv6 addresses. + Previously it was possible for non-canonical IPv6 forms to be + stored in a AAAA address, which would work correctly but + possibly cause problmes if the address were used as a key in a + dictionary. + * The number of messages in a section can be retrieved with + section_count(). + * Truncation preferences for messages can be specified. + * The length of a message can be automatically prepended when + rendering. + * dns.message.create_response() automatically adds padding when + required by RFC 8467. + * The TLS verify parameter is now supported by dns.query.tls(), + and the DoH and DoT Nameserver subclasses. + * The MutableMapping used to store content in a zone may now be + specified by a factory when subclassing. Factories may also be + provided for writable verisons and immutable versions. + * dns.name.Name now has predecessor() and successor() methods + implementing RFC 4471. + * QUIC has had a number of bug fixes and also now supports + session tickets for faster session resumption. + * The NSEC3 class now has a next_name() method for retrieving the + next name as a dns.name.Name. + ------------------------------------------------------------------- Thu Oct 5 17:10:40 UTC 2023 - Matej Cepl diff --git a/python-dnspython.spec b/python-dnspython.spec index 43941f8..0b0021e 100644 --- a/python-dnspython.spec +++ b/python-dnspython.spec @@ -1,7 +1,7 @@ # -# spec file +# spec file for package python-dnspython # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ %define skip_python2 1 %{?sle15_python_module_pythons} Name: python-dnspython%{psuffix} -Version: 2.4.2 +Version: 2.6.1 Release: 0 Summary: A DNS toolkit for Python License: ISC @@ -35,6 +35,7 @@ Group: Development/Languages/Python URL: https://github.com/rthalley/dnspython Source: https://files.pythonhosted.org/packages/source/d/dnspython/dnspython-%{version}.tar.gz BuildRequires: %{python_module base >= 3.8} +BuildRequires: %{python_module hatchling} BuildRequires: %{python_module pip} BuildRequires: %{python_module poetry-core} BuildRequires: fdupes