dnsdist - Debian Package Tracker

general

source: dnsdist (main)
version: 2.0.5-1
maintainer: dnsdist packagers (DMD)
uploaders: Chris Hofstaedtler [DMD]
arch: any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.5.1-3
oldstable: 1.7.3-2
stable: 1.9.10-1+deb13u1
testing: 2.0.5-1
unstable: 2.0.5-1

versioned links

1.5.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.7.3-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.9.10-1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.9.14-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.0.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

dnsdist

action needed

18 security issues in trixie high

There are 18 open security issues in trixie.

11 important issues:

CVE-2026-33254: An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.
CVE-2026-33257: An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
CVE-2026-33260: An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
CVE-2026-33593: A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.
CVE-2026-33594: A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.
CVE-2026-33595: A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.
CVE-2026-33596: A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.
CVE-2026-33597: PRSD detection denial of service
CVE-2026-33598: A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.
CVE-2026-33599: A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.
CVE-2026-33602: A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.

7 issues left for the package maintainer to handle:

CVE-2026-0396: (needs triaging) An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.
CVE-2026-0397: (needs triaging) When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.
CVE-2026-24028: (needs triaging) An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.
CVE-2026-24029: (needs triaging) When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.
CVE-2026-24030: (needs triaging) An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.
CVE-2026-27853: (needs triaging) An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service.
CVE-2026-27854: (needs triaging) An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-03-31 Last update: 2026-04-28 19:02

A new upstream version is available: 2.1.0-beta2 high

A new upstream version 2.1.0-beta2 is available, you should consider packaging it.

Created: 2026-01-31 Last update: 2026-04-28 15:17

lintian reports 1 error high

Lintian reports 1 error about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-23 Last update: 2026-04-23 20:31

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 59a57e600d3378587837ce0ec82fd958522af593
Author: Chris Hofstaedtler <zeha@debian.org>
Date:   Sun Apr 26 20:34:26 2026 +0200

    Setup branches for multiple debian releases

Created: 2026-04-26 Last update: 2026-04-26 21:31

debian/patches: 1 patch to forward upstream low

Among the 1 debian patch available in version 2.0.5-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-08-12 Last update: 2026-04-23 19:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.5.1).

Created: 2021-08-18 Last update: 2026-04-23 18:16

testing migrations

This package is part of the ongoing testing transition known as auto-libsodium. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2026-04-28] Accepted dnsdist 1.9.14-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Christian Hofstaedtler)
[2026-04-28] dnsdist 2.0.5-1 MIGRATED to testing (Debian testing watch)
[2026-04-23] Accepted dnsdist 2.0.5-1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2026-04-22] Accepted dnsdist 2.0.4-1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2026-04-05] dnsdist 2.0.3-1 MIGRATED to testing (Debian testing watch)
[2026-03-31] Accepted dnsdist 2.0.3-1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-12-08] dnsdist 2.0.2-1 MIGRATED to testing (Debian testing watch)
[2025-12-02] Accepted dnsdist 2.0.2-1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-11-01] Accepted dnsdist 1.9.10-1+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Christian Hofstaedtler)
[2025-09-28] dnsdist 2.0.1-1 MIGRATED to testing (Debian testing watch)
[2025-09-22] Accepted dnsdist 2.0.1-1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-09-14] dnsdist 2.0.0-6 MIGRATED to testing (Debian testing watch)
[2025-09-07] Accepted dnsdist 2.0.0-6 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-09-06] Accepted dnsdist 2.0.0-5 (source arm64) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-09-02] Accepted dnsdist 2.0.0-4 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-08-20] dnsdist 2.0.0-3 MIGRATED to testing (Debian testing watch)
[2025-08-12] Accepted dnsdist 2.0.0-3 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-07-30] Accepted dnsdist 2.0.0-2 (source) into experimental (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-07-21] Accepted dnsdist 2.0.0-1 (source) into experimental (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-07-20] Accepted dnsdist 2.0.0~rc2-1 (source) into experimental (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-07-12] Accepted dnsdist 2.0.0~rc1-2 (source) into experimental (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-07-12] Accepted dnsdist 2.0.0~rc1-1 (source) into experimental (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-05-27] dnsdist 1.9.10-1 MIGRATED to testing (Debian testing watch)
[2025-05-21] Accepted dnsdist 1.9.10-1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2025-05-09] dnsdist 1.9.9-1 MIGRATED to testing (Debian testing watch)
[2025-04-29] Accepted dnsdist 1.9.9-1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2024-12-23] dnsdist 1.9.8-1 MIGRATED to testing (Debian testing watch)
[2024-12-17] Accepted dnsdist 1.9.8-1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2024-08-02] dnsdist 1.9.6-1 MIGRATED to testing (Debian testing watch)
[2024-07-27] Accepted dnsdist 1.9.6-1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (1, 0)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.0.2-1build1