From: Bob Halley <halley@dnspython.org>
Date: Fri, 9 Feb 2024 21:27:52 +0000 (-0800)
Subject: update for 2.6.0
X-Git-Tag: v2.6.0rc1~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2791401d71fcdbd45722f19dbbc394bd3cd53f1;p=thirdparty%2Fdnspython.git

update for 2.6.0
---

diff --git a/doc/whatsnew.rst b/doc/whatsnew.rst
index ada72d59..23a29e43 100644
--- a/doc/whatsnew.rst
+++ b/doc/whatsnew.rst
@@ -6,8 +6,22 @@ What's New in dnspython
 2.6.0 (in development)
 ----------------------
 
+* As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython
+  stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the
+  right address and port forged by an attacker arrives before a legitimate one on the
+  UDP port dnspython is using for that query.
+
+  This release addresses the issue by adopting the recommended mitigation, which is
+  ignoring the bad packets and continuing to listen for a legitimate response until
+  the timeout for the query has expired.
+
 * Added support for the NSID EDNS option.
 
+* Dnspython now looks for version metadata for optional packages and will not
+  use them if they are too old.  This prevents possible exceptions when a
+  feature like DoH is not desired in dnspython, but an old httpx is installed
+  along with dnspython for some other purpose.
+
 2.5.0
 -----