[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 4a9158dfdbe9767865784582dc05ff943f74460e

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 4a9158dfdbe9767865784582dc05ff943f74460e
@ 2026-03-31 14:18 Michael Tremer
  0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2026-03-31 14:18 UTC (permalink / raw)
  To: ipfire-scm

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 5899 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  4a9158dfdbe9767865784582dc05ff943f74460e (commit)
      from  768e8218a84f58f128aff97efb0137f521a6a7dd (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 4a9158dfdbe9767865784582dc05ff943f74460e
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Tue Mar 31 14:16:53 2026 +0000

    dnsdist: Update to 2.0.3
    
    The issues fixed in these releases are:
    - CVE-2026-0396: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either "DynBlockRulesGroup:setSuffixMatchRule" or "DynBlockRulesGroup:setSuffixMatchRuleFFI"
    - CVE-2026-0397: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard
    - CVE-2026-24028: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses "newDNSPacketOverlay" to parse DNS packets
    - CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the "nghttp2" provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL
    - CVE-2026-24030: An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in denial of service
    - CVE-2026-27853: An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the "DNSQuestion:changeName" or "DNSResponse:changeName" methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service
    - CVE-2026-27854: Denial of service when using DNSQuestion:getEDNSOptions method in custom Lua code
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 lfs/dnsdist                              |  7 +++---
 src/patches/dnsdist-2.0.2-vloginfo.patch | 38 --------------------------------
 2 files changed, 3 insertions(+), 42 deletions(-)
 delete mode 100644 src/patches/dnsdist-2.0.2-vloginfo.patch

Difference in files:
diff --git a/lfs/dnsdist b/lfs/dnsdist
index d1dafabc5..7a70f4716 100644
--- a/lfs/dnsdist
+++ b/lfs/dnsdist
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = A highly DNS-, DoS- and abuse-aware loadbalancer
 
-VER        = 2.0.2
+VER        = 2.0.3
 
 THISAPP    = dnsdist-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = dnsdist
-PAK_VER    = 31
+PAK_VER    = 32
 
 DEPS       =
 
@@ -50,7 +50,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 87a4179f474d7f8117e4e03c4ff680f79207c8056765c6925ee21b3011e4555e47ad9c97950f30ab2876ac0978ee07555017cb1bbc6b93792992c1821f8da27a
+$(DL_FILE)_BLAKE2 = 5f915bfe5201b32956a30440c7b8bde4e9d1862b2c82a2f1124fd846f175e45cf58bd5c78c8ad2b876f8cbf36f9c9109141f2c7ddeff54d9eeac190870387dc5
 
 install : $(TARGET)
 
@@ -83,7 +83,6 @@ $(subst %,%_BLAKE2,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np3 < $(DIR_SRC)/src/patches/dnsdist-2.0.2-vloginfo.patch
 	cd $(DIR_APP) && ./configure \
 		--prefix=/usr \
 		--sysconfdir=/etc \
diff --git a/src/patches/dnsdist-2.0.2-vloginfo.patch b/src/patches/dnsdist-2.0.2-vloginfo.patch
deleted file mode 100644
index 068c86728..000000000
--- a/src/patches/dnsdist-2.0.2-vloginfo.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From e01eb83ec8572248f7f661e27d67f731bfb1e5f7 Mon Sep 17 00:00:00 2001
-From: Remi Gacogne <remi.gacogne@powerdns.com>
-Date: Thu, 16 Oct 2025 15:11:56 +0200
-Subject: [PATCH] dnsdist: Fix build error when only protobuf is enabled
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-The build fails with:
-```
-../dnsdist-protobuf.cc: In member function â€˜void DNSDistProtoBufMessage::serialize(std::string&) constâ€™:
-../dnsdist-protobuf.cc:205:7: error: â€˜vinfologâ€™ was not declared in this scope
-  205 |       vinfolog("Error while parsing the RRs from a response packet to add them to the protobuf message: %s", exp.what());
-      |       ^~~~~~~~
-```
-because of a missing header.
-
-Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
-(cherry picked from commit a279a1453094d0abfc847aa790bc82addc14cc62)
----
- pdns/dnsdistdist/dnsdist-protobuf.cc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/pdns/dnsdistdist/dnsdist-protobuf.cc b/pdns/dnsdistdist/dnsdist-protobuf.cc
-index e02b6d8755..cc4fae9139 100644
---- a/pdns/dnsdistdist/dnsdist-protobuf.cc
-+++ b/pdns/dnsdistdist/dnsdist-protobuf.cc
-@@ -25,6 +25,7 @@
- #include "base64.hh"
- #include "dnsdist.hh"
- #include "dnsdist-protobuf.hh"
-+#include "dolog.hh"
- #include "protozero.hh"
- 
- DNSDistProtoBufMessage::DNSDistProtoBufMessage(const DNSQuestion& dnsquestion) :
--- 
-2.47.3
-


hooks/post-receive
--
IPFire 2.x development tree


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-03-31 14:18 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-03-31 14:18 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 4a9158dfdbe9767865784582dc05ff943f74460e Michael Tremer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox