1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1104351: dnsdist: CVE-2025-30194

    From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Tue Apr 29 14:30:02 2025
    Source: dnsdist
    X-Debbugs-CC: team@security.debian.org
    Severity: grave
    Tags: security

    Hi,

    The following vulnerability was published for dnsdist.

    CVE-2025-30194[0]:
    | When DNSdist is configured to provide DoH via the nghttp2 provider,
    | an attacker can cause a denial of service by crafting a DoH exchange
    | that triggers an illegal memory access (double-free) and crash of
    | DNSdist, causing a denial of service. The remedy is: upgrade to the
    | patched 1.9.9 version. A workaround is to temporarily switch to the
    | h2o provider until DNSdist has been upgraded to a fixed version. We
    | would like to thank Charles Howes for bringing this issue to our
    | attention.

    https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html
    https://github.com/PowerDNS/pdns/issues/15475

    bookworm isn't affected, I've updated the Security Tracker accordingly.



    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-30194
    https://www.cve.org/CVERecord?id=CVE-2025-30194

    Please adjust the affected versions in the BTS as needed.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Tue Apr 29 17:40:02 2025
    This is a multi-part message in MIME format...

    Your message dated Tue, 29 Apr 2025 17:14:32 +0200
    with message-id <q74b6cf3cev5z5y4bp3ggd63k6j7zygc2mit55wfvyhrdkfj3j@l3xltn6openr>
    and subject line Accepted dnsdist 1.9.9-1 (source) into unstable
    has caused the Debian Bug report #1104351,
    regarding dnsdist: CVE-2025-30194
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1104351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104351
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 29 Apr 2025 12:19:58 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-4.0 required=4.0 tests=BAYES_00,SPF_HELO_NONE,
    SPF_PASS autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 23; hammy, 149; neutral, 45; spammy,
    1. spammytokens:0.951-+--our hammytokens:0.000-+--bookworm,
    0.000-+--H*r:jmm, 0.000-+--UD:security-tracker.debian.org,
    0.000-+--security-tracker.debian.org, 0.000-+--securitytrackerdebianorg Return-path: <jmm@inutil.org>
    Received: from vps-b7ad3695.vps.ovh.net ([51.38.114.215]:37258)
    by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
    (Exim 4.94.2)
    (envelope-from <jmm@inutil.org>)