ALAS2023-2024-739

Amazon Linux 2023 Security Advisory: ALAS2023-2024-739
Advisory Released Date: 2024-10-14
Advisory Updated Date: 2024-10-14

Severity: Medium

References: CVE-2023-29483
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. (CVE-2023-29483)

Affected Packages:

python-dns

Issue Correction:
Run dnf update python-dns --releasever 2023.6.20241010 to update your system.

New Packages:

noarch:
    python3-dns+idna-2.1.0-3.amzn2023.0.4.noarch
    python3-dns+dnssec-2.1.0-3.amzn2023.0.4.noarch
    python3-dns-2.1.0-3.amzn2023.0.4.noarch

src:
    python-dns-2.1.0-3.amzn2023.0.4.src

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2023-29483

Mitre: CVE-2023-29483