[Pdns-announce] DNSdist 1.9.12 and 2.0.3 released

Remi Gacogne remi.gacogne at powerdns.com
Tue Mar 31 10:06:54 UTC 2026 

Hi,

Today we released two new versions of DNSdist, 1.9.12 and 2.0.3, fixing 
several security issues that have been reported to us. These security 
issues are low-severity or involve unusual configurations.

The issues fixed in these releases are:
- CVE-2026-0396: An attacker might be able to inject HTML content into 
the internal web dashboard by sending crafted DNS queries to a DNSdist 
instance where domain-based dynamic rules have been enabled via either 
"DynBlockRulesGroup:setSuffixMatchRule" or 
"DynBlockRulesGroup:setSuffixMatchRuleFFI"
- CVE-2026-0397: When the internal webserver is enabled (default is 
disabled), an attacker might be able to trick an administrator logged to 
the dashboard into visiting a malicious website and extract information 
about the running configuration from the dashboard
- CVE-2026-24028: An attacker might be able to trigger an out-of-bounds 
read by sending a crafted DNS response packet, when custom Lua code uses 
"newDNSPacketOverlay" to parse DNS packets
- CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) 
option is disabled (default is enabled) on a DNS over HTTPs frontend 
using the "nghttp2" provider, the ACL check is skipped, allowing all 
clients to send DoH queries regardless of the configured ACL
- CVE-2026-24030: An attacker might be able to trick DNSdist into 
allocating too much memory while processing DNS over QUIC or DNS over 
HTTP/3 payloads, resulting in denial of service
- CVE-2026-27853: An attacker might be able to trigger an out-of-bounds 
write by sending crafted DNS responses to a DNSdist using the 
"DNSQuestion:changeName" or "DNSResponse:changeName" methods in custom 
Lua code. In some cases the rewritten packet might become larger than 
the initial response and even exceed 65535 bytes, potentially leading to 
a crash resulting in denial of service
- CVE-2026-27854: Denial of service when using 
DNSQuestion:getEDNSOptions method in custom Lua code

A few bugs have been fixed in addition to these security issues, please 
see the ChangeLogs [1][2] for more details.

Please see the DNSdist website [3] for the current documentation. The 
upgrade guide is also available there [4].

Please send us all feedback and issues you might have via the mailing 
list, or in case of a bug, via GitHub [5].

The release tarballs [6][7] and their signatures [8][9] are available on 
the downloads website, and packages for several distributions are 
available from our repository [10].

[1]: https://dnsdist.org/changelog.html#change-1.9.12
[2]: https://dnsdist.org/changelog.html#change-2.0.3
[3]: https://dnsdist.org
[4]: https://dnsdist.org/upgrade_guide.html
[5]: https://github.com/PowerDNS/pdns/issues/new/choose
[6]: https://downloads.powerdns.com/releases/dnsdist-1.9.12.tar.bz2
[7]: https://downloads.powerdns.com/releases/dnsdist-1.9.12.tar.bz2.sig
[8]: https://downloads.powerdns.com/releases/dnsdist-2.0.3.tar.xz
[9]: https://downloads.powerdns.com/releases/dnsdist-2.0.3.tar.xz.sig
[10]: https://repo.powerdns.com

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-announce/attachments/20260331/5c39c23c/attachment.sig>

More information about the Pdns-announce mailing list