From: Michael Tremer Date: Tue, 31 Mar 2026 14:16:53 +0000 (+0000) Subject: dnsdist: Update to 2.0.3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a9158dfdbe9767865784582dc05ff943f74460e;p=ipfire-2.x.git dnsdist: Update to 2.0.3 The issues fixed in these releases are: - CVE-2026-0396: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either "DynBlockRulesGroup:setSuffixMatchRule" or "DynBlockRulesGroup:setSuffixMatchRuleFFI" - CVE-2026-0397: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard - CVE-2026-24028: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses "newDNSPacketOverlay" to parse DNS packets - CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the "nghttp2" provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL - CVE-2026-24030: An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in denial of service - CVE-2026-27853: An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the "DNSQuestion:changeName" or "DNSResponse:changeName" methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service - CVE-2026-27854: Denial of service when using DNSQuestion:getEDNSOptions method in custom Lua code Signed-off-by: Michael Tremer --- diff --git a/lfs/dnsdist b/lfs/dnsdist index d1dafabc5..7a70f4716 100644 --- a/lfs/dnsdist +++ b/lfs/dnsdist @@ -26,7 +26,7 @@ include Config SUMMARY = A highly DNS-, DoS- and abuse-aware loadbalancer -VER = 2.0.2 +VER = 2.0.3 THISAPP = dnsdist-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = dnsdist -PAK_VER = 31 +PAK_VER = 32 DEPS = @@ -50,7 +50,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 87a4179f474d7f8117e4e03c4ff680f79207c8056765c6925ee21b3011e4555e47ad9c97950f30ab2876ac0978ee07555017cb1bbc6b93792992c1821f8da27a +$(DL_FILE)_BLAKE2 = 5f915bfe5201b32956a30440c7b8bde4e9d1862b2c82a2f1124fd846f175e45cf58bd5c78c8ad2b876f8cbf36f9c9109141f2c7ddeff54d9eeac190870387dc5 install : $(TARGET) @@ -83,7 +83,6 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np3 < $(DIR_SRC)/src/patches/dnsdist-2.0.2-vloginfo.patch cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/etc \ diff --git a/src/patches/dnsdist-2.0.2-vloginfo.patch b/src/patches/dnsdist-2.0.2-vloginfo.patch deleted file mode 100644 index 068c86728..000000000 --- a/src/patches/dnsdist-2.0.2-vloginfo.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e01eb83ec8572248f7f661e27d67f731bfb1e5f7 Mon Sep 17 00:00:00 2001 -From: Remi Gacogne -Date: Thu, 16 Oct 2025 15:11:56 +0200 -Subject: [PATCH] dnsdist: Fix build error when only protobuf is enabled -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -The build fails with: -``` -../dnsdist-protobuf.cc: In member function ‘void DNSDistProtoBufMessage::serialize(std::string&) const’: -../dnsdist-protobuf.cc:205:7: error: ‘vinfolog’ was not declared in this scope - 205 | vinfolog("Error while parsing the RRs from a response packet to add them to the protobuf message: %s", exp.what()); - | ^~~~~~~~ -``` -because of a missing header. - -Signed-off-by: Remi Gacogne -(cherry picked from commit a279a1453094d0abfc847aa790bc82addc14cc62) ---- - pdns/dnsdistdist/dnsdist-protobuf.cc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/pdns/dnsdistdist/dnsdist-protobuf.cc b/pdns/dnsdistdist/dnsdist-protobuf.cc -index e02b6d8755..cc4fae9139 100644 ---- a/pdns/dnsdistdist/dnsdist-protobuf.cc -+++ b/pdns/dnsdistdist/dnsdist-protobuf.cc -@@ -25,6 +25,7 @@ - #include "base64.hh" - #include "dnsdist.hh" - #include "dnsdist-protobuf.hh" -+#include "dolog.hh" - #include "protozero.hh" - - DNSDistProtoBufMessage::DNSDistProtoBufMessage(const DNSQuestion& dnsquestion) : --- -2.47.3 -