Source: dnsdist X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for dnsdist. CVE-2025-30194[0]: | When DNSdist is configured to provide DoH via the nghttp2 provider, | an attacker can cause a denial of service by crafting a DoH exchange | that triggers an illegal memory access (double-free) and crash of | DNSdist, causing a denial of service. The remedy is: upgrade to the | patched 1.9.9 version. A workaround is to temporarily switch to the | h2o provider until DNSdist has been upgraded to a fixed version. We | would like to thank Charles Howes for bringing this issue to our | attention. https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html https://github.com/PowerDNS/pdns/issues/15475 bookworm isn't affected, I've updated the Security Tracker accordingly. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-30194 https://www.cve.org/CVERecord?id=CVE-2025-30194 Please adjust the affected versions in the BTS as needed.
