eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a “TuDoor” attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.
github.com/eventlet/eventlet
github.com/eventlet/eventlet/commit/51e3c4928d4938beb576eff34f3bf97e6e64e6b4
github.com/eventlet/eventlet/issues/913
github.com/eventlet/eventlet/releases/tag/v0.35.2
github.com/rthalley/dnspython/commit/0ea5ad0a4583e1f519b9bcc67cfac381230d9cf2
github.com/rthalley/dnspython/issues/1045
github.com/rthalley/dnspython/releases/tag/v2.6.0
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF
nvd.nist.gov/vuln/detail/CVE-2023-29483
security.netapp.com/advisory/ntap-20240510-0001
security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713
www.dnspython.org