]> git.ipfire.org Git - ipfire-2.x.git/commitdiff
projects / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 768e821)
dnsdist: Update to 2.0.3
authorMichael Tremer <michael.tremer@ipfire.org>
Tue, 31 Mar 2026 14:16:53 +0000 (14:16 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Tue, 31 Mar 2026 14:16:53 +0000 (14:16 +0000)
The issues fixed in these releases are:
- CVE-2026-0396: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either "DynBlockRulesGroup:setSuffixMatchRule" or "DynBlockRulesGroup:setSuffixMatchRuleFFI"
- CVE-2026-0397: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard
- CVE-2026-24028: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses "newDNSPacketOverlay" to parse DNS packets
- CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the "nghttp2" provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL
- CVE-2026-24030: An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in denial of service
- CVE-2026-27853: An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the "DNSQuestion:changeName" or "DNSResponse:changeName" methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service
- CVE-2026-27854: Denial of service when using DNSQuestion:getEDNSOptions method in custom Lua code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
lfs/dnsdist patch | blob | blame | history
src/patches/dnsdist-2.0.2-vloginfo.patch [deleted file] patch | blob | blame | history

diff --git a/lfs/dnsdist b/lfs/dnsdist
index d1dafabc59145cb1bccb40b8b72a4889f1b03dbd..7a70f4716c7fc943e0d9e779d3d132d987c01dd4 100644 (file)
--- a/lfs/dnsdist
+++ b/lfs/dnsdist
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = A highly DNS-, DoS- and abuse-aware loadbalancer
 
-VER        = 2.0.2
+VER        = 2.0.3
 
 THISAPP    = dnsdist-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = dnsdist
-PAK_VER    = 31
+PAK_VER    = 32
 
 DEPS       =
 
@@ -50,7 +50,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 87a4179f474d7f8117e4e03c4ff680f79207c8056765c6925ee21b3011e4555e47ad9c97950f30ab2876ac0978ee07555017cb1bbc6b93792992c1821f8da27a
+$(DL_FILE)_BLAKE2 = 5f915bfe5201b32956a30440c7b8bde4e9d1862b2c82a2f1124fd846f175e45cf58bd5c78c8ad2b876f8cbf36f9c9109141f2c7ddeff54d9eeac190870387dc5
 
 install : $(TARGET)
 
@@ -83,7 +83,6 @@ $(subst %,%_BLAKE2,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
-       cd $(DIR_APP) && patch -Np3 < $(DIR_SRC)/src/patches/dnsdist-2.0.2-vloginfo.patch
        cd $(DIR_APP) && ./configure \
                --prefix=/usr \
                --sysconfdir=/etc \
diff --git a/src/patches/dnsdist-2.0.2-vloginfo.patch b/src/patches/dnsdist-2.0.2-vloginfo.patch
deleted file mode 100644 (file)
index 068c867..0000000
--- a/src/patches/dnsdist-2.0.2-vloginfo.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From e01eb83ec8572248f7f661e27d67f731bfb1e5f7 Mon Sep 17 00:00:00 2001
-From: Remi Gacogne <remi.gacogne@powerdns.com>
-Date: Thu, 16 Oct 2025 15:11:56 +0200
-Subject: [PATCH] dnsdist: Fix build error when only protobuf is enabled
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-The build fails with:
-```
-../dnsdist-protobuf.cc: In member function â\80\98void DNSDistProtoBufMessage::serialize(std::string&) constâ\80\99:
-../dnsdist-protobuf.cc:205:7: error: â\80\98vinfologâ\80\99 was not declared in this scope
-  205 |       vinfolog("Error while parsing the RRs from a response packet to add them to the protobuf message: %s", exp.what());
-      |       ^~~~~~~~
-```
-because of a missing header.
-
-Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
-(cherry picked from commit a279a1453094d0abfc847aa790bc82addc14cc62)
----
- pdns/dnsdistdist/dnsdist-protobuf.cc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/pdns/dnsdistdist/dnsdist-protobuf.cc b/pdns/dnsdistdist/dnsdist-protobuf.cc
-index e02b6d8755..cc4fae9139 100644
---- a/pdns/dnsdistdist/dnsdist-protobuf.cc
-+++ b/pdns/dnsdistdist/dnsdist-protobuf.cc
-@@ -25,6 +25,7 @@
- #include "base64.hh"
- #include "dnsdist.hh"
- #include "dnsdist-protobuf.hh"
-+#include "dolog.hh"
- #include "protozero.hh"
- DNSDistProtoBufMessage::DNSDistProtoBufMessage(const DNSQuestion& dnsquestion) :
--- 
-2.47.3
-
IPFire 2.x development tree