]> git.ipfire.org Git - thirdparty/bind9.git/commit
projects / thirdparty / bind9.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(merge: 9a7f562 637a127)
[9.20] [CVE-2026-3593] sec: usr: Add system test for HTTP/2 SETTINGS frame flood
authorAydın Mercan <aydin@isc.org>
Wed, 6 May 2026 07:23:43 +0000 (10:23 +0300)
committerMichał Kępień <michal@isc.org>
Thu, 7 May 2026 11:09:18 +0000 (13:09 +0200)
commitb86a641823f5634fc42de35b4d0f68aa36ed5bd5
tree3a01718759222d125c896c5c55f3c768277ac78etree | snapshot
parent9a7f5627e0afa7aefd612cf5d47f3a1bb559336ccommit | diff
parent637a127f6506db4260584ce3840fb4a6fde9112acommit | diff
[9.20] [CVE-2026-3593] sec: usr: Add system test for HTTP/2 SETTINGS frame flood

A use-after-free vulnerability in the DNS-over-HTTPS implementation could cause named to crash when a client sends a flood of HTTP/2 SETTINGS frames while a DoH response is being written. This affects servers with DoH (DNS-over-HTTPS) enabled.

ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting this.

For: https://gitlab.isc.org/isc-projects/bind9/-/issues/5755

Backport of https://gitlab.isc.org/isc-private/bind9/-/merge_requests/949

Merge branch '5755-security-heap-user-after-free-http2-settings-9.20' into 'security-bind-9.20'

See merge request isc-private/bind9!992
Mirror of https://gitlab.isc.org/isc-projects/bind9.git