From f2791401d71fcdbd45722f19dbbc394bd3cd53f1 Mon Sep 17 00:00:00 2001
From: Bob Halley <halley@dnspython.org>
Date: Fri, 9 Feb 2024 13:27:52 -0800
Subject: [PATCH] update for 2.6.0

---
 doc/whatsnew.rst | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/doc/whatsnew.rst b/doc/whatsnew.rst
index ada72d59..23a29e43 100644
--- a/doc/whatsnew.rst
+++ b/doc/whatsnew.rst
@@ -6,8 +6,22 @@ What's New in dnspython
 2.6.0 (in development)
 ----------------------
 
+* As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython
+  stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the
+  right address and port forged by an attacker arrives before a legitimate one on the
+  UDP port dnspython is using for that query.
+
+  This release addresses the issue by adopting the recommended mitigation, which is
+  ignoring the bad packets and continuing to listen for a legitimate response until
+  the timeout for the query has expired.
+
 * Added support for the NSID EDNS option.
 
+* Dnspython now looks for version metadata for optional packages and will not
+  use them if they are too old.  This prevents possible exceptions when a
+  feature like DoH is not desired in dnspython, but an old httpx is installed
+  along with dnspython for some other purpose.
+
 2.5.0
 -----
 
-- 
2.47.3