[dnsdist] PowerDNS DNSdist 1.7.5 and 1.8.2 released
Remi Gacogne
remi.gacogne at powerdns.com
Wed Oct 11 14:38:27 UTC 2023
Hi,
Today we have released DNSdist 1.7.5 and 1.8.2, with absolutely no
changes with, respectively, 1.7.4 and 1.8.1, apart from the fact that
our DNSdist packages have been rebuilt against our own fork [1] of
libh2o in order to mitigate CVE-2023-44487 [2], also known as HTTP/2
rapid reset [3].
This attack exploits a vulnerability in most implementations of the
HTTP/2 protocol, making it easier to cause a denial of service of HTTP/2
servers by sending them crafted queries. While the vulnerability does
not come from DNSdist's code, all versions of DNSdist supporting DNS
over HTTPS are impacted by this issue if incoming DNS over HTTPS is
enabled, which is not the case by default.
As we warned earlier, libh2o is no longer supported as a stable library,
and there will be no official release fixing this issue. For this reason
we have forked the official h2o repository and backported the fix to the
2.2.x branch, making it available to the public. If you are not using
our packages but are compiling DNSdist yourself, or relying on your
distribution's packages, please ensure that you are using a patched
version of libh2o in order to be protected.
In the very near future we will be releasing DNSdist 1.9.0 where DNS
over HTTPS is provided by the nghttp2 library, so we do not have to rely
on h2o any longer.
Please see the DNSdist website [4] for the current documentation.
Please send us all feedback and issues you might have via the mailing
list, or in case of a bug, via GitHub [5].
The tarballs (1.7.5 [6], 1.8.2 [7]) and theirs signatures (1.7.5 [8],
1.8.2 [9]) are available on the downloads website, and packages for
several distributions are available from our repository [10].
Docker images have not been updated yet but will be soon.
[1]: https://github.com/PowerDNS/h2o/tree/v2.2.6%2Bpdns
[2]: https://www.cve.org/CVERecord?id=CVE-2023-44487
[3]:
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
[4]: https://dnsdist.org
[5]: https://github.com/PowerDNS/pdns/issues/new/choose
[6]:
https://downloads.powerdns.com/releases/dnsdist-1.7.5.tar.bz2
[7]:
https://downloads.powerdns.com/releases/dnsdist-1.8.2.tar.bz2
[8]:
https://downloads.powerdns.com/releases/dnsdist-1.7.5.tar.bz2.sig
[9]:
https://downloads.powerdns.com/releases/dnsdist-1.8.2.tar.bz2.sig
[10]: https://repo.powerdns.com
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20231011/219c1fdb/attachment.sig>
More information about the dnsdist
mailing list