Source: ldns Version: 1.9.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1.8.4-2 Control: found -1 1.8.3-1
Hi, The following vulnerability was published for ldns. CVE-2026-10846[0]: | NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used | in applications as (stub) resolver over UDP, lacks matching the | query destination address and port with the response source address | and port. Furthermore not the query ID, neither the question of the | query is matched with that of the response. This makes applications, | that use ldns for (stub) resolver functionality over UDP, vulnerable | for off-path poisoning attacks. The drill tool, which is shipped | with ldns, suffers from this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-10846 https://www.cve.org/CVERecord?id=CVE-2026-10846 [1] https://www.nlnetlabs.nl/downloads/ldns/CVE-2026-10846.txt Regards, Salvatore
