[dnsdist] PowerDNS DNSdist 1.7.5 and 1.8.2 released

Remi Gacogne remi.gacogne at powerdns.com
Wed Oct 11 14:38:27 UTC 2023


Today we have released DNSdist 1.7.5 and 1.8.2, with absolutely no 
changes with, respectively, 1.7.4 and 1.8.1, apart from the fact that 
our DNSdist packages have been rebuilt against our own fork [1] of 
libh2o in order to mitigate CVE-2023-44487 [2], also known as HTTP/2 
rapid reset [3].

This attack exploits a vulnerability in most implementations of the 
HTTP/2 protocol, making it easier to cause a denial of service of HTTP/2 
servers by sending them crafted queries. While the vulnerability does 
not come from DNSdist's code, all versions of DNSdist supporting DNS 
over HTTPS are impacted by this issue if incoming DNS over HTTPS is 
enabled, which is not the case by default.

As we warned earlier, libh2o is no longer supported as a stable library, 
and there will be no official release fixing this issue. For this reason 
we have forked the official h2o repository and backported the fix to the 
2.2.x branch, making it available to the public. If you are not using 
our packages but are compiling DNSdist yourself, or relying on your 
distribution's packages, please ensure that you are using a patched 
version of libh2o in order to be protected.

In the very near future we will be releasing DNSdist 1.9.0 where DNS 
over HTTPS is provided by the nghttp2 library, so we do not have to rely 
on h2o any longer.

Please see the DNSdist website [4] for the current documentation.

Please send us all feedback and issues you might have via the mailing 
list, or in case of a bug, via GitHub [5].

The tarballs (1.7.5 [6], 1.8.2 [7]) and theirs signatures (1.7.5 [8], 
1.8.2 [9]) are available on the downloads website, and packages for 
several distributions are available from our repository [10].

Docker images have not been updated yet but will be soon.

[1]: https://github.com/PowerDNS/h2o/tree/v2.2.6%2Bpdns
[2]: https://www.cve.org/CVERecord?id=CVE-2023-44487
[4]: https://dnsdist.org
[5]: https://github.com/PowerDNS/pdns/issues/new/choose
[10]: https://repo.powerdns.com

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231011/219c1fdb/attachment.sig>

More information about the dnsdist mailing list