This release fixes CVE-2024-25581, a denial of service security issue affecting versions 1.9.0, 1.9.1, 1.9.2 and 1.9.3 only. Earlier versions are not affected.
When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
projects / ipfire-2.x.git / commit
