ALAS-2024-739

Amazon Linux 2023 Security Advisory: ALAS-2024-739
Advisory Release Date: 2024-10-10 03:02 Pacific
Advisory Updated Date: 2024-10-14 16:00 Pacific

Severity: Medium

References: CVE-2023-29483
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. (CVE-2023-29483)

Affected Packages:

python-dns

Issue Correction:
Run dnf update python-dns --releasever 2023.6.20241010 to update your system.

New Packages:

noarch:
    python3-dns+idna-2.1.0-3.amzn2023.0.4.noarch
    python3-dns+dnssec-2.1.0-3.amzn2023.0.4.noarch
    python3-dns-2.1.0-3.amzn2023.0.4.noarch

src:
    python-dns-2.1.0-3.amzn2023.0.4.src

Additional References

Red Hat: CVE-2023-29483

Mitre: CVE-2023-29483

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-739

Additional References