From patchwork Tue May 14 10:04:12 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 7780
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4VdsbH6v2zz3wwq
	for <patchwork@web04.haj.ipfire.org>; Tue, 14 May 2024 10:11:55 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4VdsbD6403z2KR;
	Tue, 14 May 2024 10:11:52 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4VdsbD532sz3334;
	Tue, 14 May 2024 10:11:52 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4VdsbB3gqWz2yJC
	for <development@lists.ipfire.org>; Tue, 14 May 2024 10:11:49 +0000 (UTC)
Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Vdsb94YFMz2KR;
	Tue, 14 May 2024 10:11:49 +0000 (UTC)
Received: by michael.haj.ipfire.org (Postfix, from userid 0)
	id 4VdsQP2zcqzTjFP; Tue, 14 May 2024 10:04:13 +0000 (UTC)
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] dnsdist: Update to 1.9.4
Date: Tue, 14 May 2024 10:04:12 +0000
Message-Id: <20240514100412.1673481-1-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Message-ID-Hash: 4K6VN7PBBGXPJDAW4B633N4XQZY7A2YA
X-Message-ID-Hash: 4K6VN7PBBGXPJDAW4B633N4XQZY7A2YA
X-MailFrom: root@michael.haj.ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Michael Tremer <michael.tremer@ipfire.org>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/4K6VN7PBBGXPJDAW4B633N4XQZY7A2YA/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

This release fixes CVE-2024-25581, a denial of service security issue affecting versions 1.9.0, 1.9.1, 1.9.2 and 1.9.3 only. Earlier versions are not affected.

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/dnsdist | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lfs/dnsdist b/lfs/dnsdist
index d1b23b75b..5a8c0ac70 100644
--- a/lfs/dnsdist
+++ b/lfs/dnsdist
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = A highly DNS-, DoS- and abuse-aware loadbalancer
 
-VER        = 1.9.3
+VER        = 1.9.4
 
 THISAPP    = dnsdist-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = dnsdist
-PAK_VER    = 21
+PAK_VER    = 23
 
 SUP_ARCH   = x86_64 aarch64
 
@@ -52,7 +52,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 663b8a2161c5a7b94541cd775f135a99997024648c5bb57fd2ec18c7ede29aebda142452f97332300c45af32b5131e4dd5f9c1f904a1d68962398fa9a28c474e
+$(DL_FILE)_BLAKE2 = a8cfc5c2da135ed96b857f9f1b6c3caa796b27f66ff7ead6e976b871a5e5db208ef3ce275c23085318bd7ff2f0fa2ec19e28ad36234991d84b8d13e74acb2f34
 
 install : $(TARGET)