[dnsdist] PowerDNS DNSdist 1.9.10 released, fixing CVE-2025-30193
Remi Gacogne
remi.gacogne at powerdns.com
Tue May 20 11:16:50 UTC 2025
Hello!
We released PowerDNS DNSdist 1.9.10 today, fixing several bugs including
a security issue tracked as CVE-2025-30193 where a remote,
unauthenticated attacker can cause a denial of service via a crafted TCP
connection. The issue was reported to us via our public IRC channel so
once it was clear that the issue had a security impact we prepared to
release a new version as soon as possible.
While we advise upgrading to a fixed version, a work-around is to
temporarily restrict the number of queries that DNSdist is willing to
accept over a single incoming TCP connection, via the
setMaxTCPQueriesPerConnection directive. Setting it to 50 is a safe
choice that does not impact performance in our tests.
Other fixes include:
- On FreeBSD, only pass source addresses on sockets bound to ANY
- Limit number of proxy protocol-enabled outgoing TCP connections
- Fix cache lookup for unavailable TCP-only backends
- Fix memory corruption when using getAddressInfo
- Only set the proxy protocol payload size when actually added
Please see the DNSdist website [1] for the more complete changelog [2]
and the current documentation. The upgrade guide is also available there
[3].
Please send us all feedback and issues you might have via the mailing
list, or in case of a bug, via GitHub [4].
The release tarball [5] and its signature [6] are available on the
downloads website, and packages for several distributions are available
from our repository [7].
[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html#change-1.9.10
[3]: https://dnsdist.org/upgrade_guide.html
[4]: https://github.com/PowerDNS/pdns/issues/new/choose
[5]:
https://downloads.powerdns.com/releases/dnsdist-1.9.10.tar.bz2
[6]:
https://downloads.powerdns.com/releases/dnsdist-1.9.10.tar.bz2.sig
[7]: https://repo.powerdns.com
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20250520/9185fea7/attachment.sig>
More information about the dnsdist
mailing list