Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <bcf2c942-420e-48d6-876e-375f0d42fc81@powerdns.com>
Date: Tue, 31 Mar 2026 14:12:28 +0200
From: Remi Gacogne <remi.gacogne@...erdns.com>
To: oss-security@...ts.openwall.com
Subject: PowerDNS Security Advisory 2026-02 for DNSdist: Multiple issues

Hi all,

Today we released two new versions of DNSdist, 1.9.12 and 2.0.3, fixing 
several security issues that have been reported to us. These security 
issues are low-severity or involve unusual configurations.

The issues fixed in these releases are:
- CVE-2026-0396: An attacker might be able to inject HTML content into 
the internal web dashboard by sending crafted DNS queries to a DNSdist 
instance where domain-based dynamic rules have been enabled via either 
"DynBlockRulesGroup:setSuffixMatchRule" or 
"DynBlockRulesGroup:setSuffixMatchRuleFFI"
- CVE-2026-0397: When the internal webserver is enabled (default is 
disabled), an attacker might be able to trick an administrator logged to 
the dashboard into visiting a malicious website and extract information 
about the running configuration from the dashboard
- CVE-2026-24028: An attacker might be able to trigger an out-of-bounds 
read by sending a crafted DNS response packet, when custom Lua code uses 
"newDNSPacketOverlay" to parse DNS packets
- CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) 
option is disabled (default is enabled) on a DNS over HTTPs frontend 
using the "nghttp2" provider, the ACL check is skipped, allowing all 
clients to send DoH queries regardless of the configured ACL
- CVE-2026-24030: An attacker might be able to trick DNSdist into 
allocating too much memory while processing DNS over QUIC or DNS over 
HTTP/3 payloads, resulting in denial of service
- CVE-2026-27853: An attacker might be able to trigger an out-of-bounds 
write by sending crafted DNS responses to a DNSdist using the 
"DNSQuestion:changeName" or "DNSResponse:changeName" methods in custom 
Lua code. In some cases the rewritten packet might become larger than 
the initial response and even exceed 65535 bytes, potentially leading to 
a crash resulting in denial of service
- CVE-2026-27854: Denial of service when using 
DNSQuestion:getEDNSOptions method in custom Lua code


The full security advisory can be found at 
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

Minimal patches can be found at 
https://downloads.powerdns.com/patches/2026-02/

Please feel free to contact me directly if you have any question.

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.