VulnerableCode Package Details - pkg:deb/debian/dnsdist@1.7.3-2

Search for packages

Vulnerability	Summary	Fixed by
VCID-3qce-a24m-yue1 Aliases: CVE-2026-27853	An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service.	2.0.3-1 Affected by 0 other vulnerabilities.
VCID-5781-s1ny-q7ey Aliases: CVE-2023-44487 GHSA-2m7v-gc89-fjqf GHSA-qppj-fm5r-hxr3 GHSA-vx74-f528-fxqg GHSA-xpw8-rcwv-8f8p GMS-2023-3377 VSV00013		1.9.10-1+deb13u1 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-76w9-hphz-nkg1 Aliases: CVE-2025-30193	In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.10 version. A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection setting. We would like to thank Renaud Allard for bringing this issue to our attention.	1.9.10-1+deb13u1 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-atx2-yc9p-g3c7 Aliases: CVE-2026-24030	An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.	2.0.3-1 Affected by 0 other vulnerabilities.
VCID-c7az-aw1f-4yah Aliases: CVE-2026-24029	When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.	2.0.3-1 Affected by 0 other vulnerabilities.
VCID-gx8g-nvhj-1kak Aliases: CVE-2026-0397	When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.	2.0.3-1 Affected by 0 other vulnerabilities.
VCID-rf53-w9k3-7ych Aliases: CVE-2026-24028	An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.	2.0.3-1 Affected by 0 other vulnerabilities.
VCID-szpa-skfv-bygh Aliases: CVE-2026-27854	An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.	2.0.3-1 Affected by 0 other vulnerabilities.
VCID-x5p9-vthx-tud8 Aliases: CVE-2026-0396	An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.	2.0.3-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-3qce-a24m-yue1
Aliases:
CVE-2026-27853

An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service.

2.0.3-1
Affected by 0 other vulnerabilities.

VCID-5781-s1ny-q7ey
Aliases:
CVE-2023-44487
GHSA-2m7v-gc89-fjqf
GHSA-qppj-fm5r-hxr3
GHSA-vx74-f528-fxqg
GHSA-xpw8-rcwv-8f8p
GMS-2023-3377
VSV00013

1.9.10-1+deb13u1
Affected by 7 other vulnerabilities.

VCID-76w9-hphz-nkg1
Aliases:
CVE-2025-30193

In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.10 version. A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection setting. We would like to thank Renaud Allard for bringing this issue to our attention.

1.9.10-1+deb13u1
Affected by 7 other vulnerabilities.

VCID-atx2-yc9p-g3c7
Aliases:
CVE-2026-24030

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.

2.0.3-1
Affected by 0 other vulnerabilities.

VCID-c7az-aw1f-4yah
Aliases:
CVE-2026-24029

When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.

2.0.3-1
Affected by 0 other vulnerabilities.

VCID-gx8g-nvhj-1kak
Aliases:
CVE-2026-0397

When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.

2.0.3-1
Affected by 0 other vulnerabilities.

VCID-rf53-w9k3-7ych
Aliases:
CVE-2026-24028

An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.

2.0.3-1
Affected by 0 other vulnerabilities.

VCID-szpa-skfv-bygh
Aliases:
CVE-2026-27854

An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.

2.0.3-1
Affected by 0 other vulnerabilities.

VCID-x5p9-vthx-tud8
Aliases:
CVE-2026-0396

An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.

2.0.3-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:17:17.492324+00:00	Debian Importer	Affected by	VCID-szpa-skfv-bygh	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:13:07.446902+00:00	Debian Importer	Affected by	VCID-3qce-a24m-yue1	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:59:33.149622+00:00	Debian Importer	Affected by	VCID-5781-s1ny-q7ey	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:27:05.972582+00:00	Debian Importer	Affected by	VCID-x5p9-vthx-tud8	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:06:57.960835+00:00	Debian Importer	Affected by	VCID-76w9-hphz-nkg1	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:04:13.937061+00:00	Debian Importer	Affected by	VCID-gx8g-nvhj-1kak	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:00:44.082917+00:00	Debian Importer	Affected by	VCID-atx2-yc9p-g3c7	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:48:22.380740+00:00	Debian Importer	Affected by	VCID-rf53-w9k3-7ych	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:42:24.982203+00:00	Debian Importer	Affected by	VCID-c7az-aw1f-4yah	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:40:45.555748+00:00	Debian Importer	Affected by	VCID-szpa-skfv-bygh	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:37:39.612743+00:00	Debian Importer	Affected by	VCID-3qce-a24m-yue1	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:27:32.379532+00:00	Debian Importer	Affected by	VCID-5781-s1ny-q7ey	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:03:03.635095+00:00	Debian Importer	Affected by	VCID-x5p9-vthx-tud8	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:47:33.979782+00:00	Debian Importer	Affected by	VCID-76w9-hphz-nkg1	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:45:24.139328+00:00	Debian Importer	Affected by	VCID-gx8g-nvhj-1kak	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:42:45.521192+00:00	Debian Importer	Affected by	VCID-atx2-yc9p-g3c7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:55:02.021005+00:00	Debian Importer	Affected by	VCID-rf53-w9k3-7ych	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:51:04.597845+00:00	Debian Importer	Affected by	VCID-c7az-aw1f-4yah	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-02T17:17:43.110800+00:00	Debian Importer	Affected by	VCID-gx8g-nvhj-1kak	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:12:27.065882+00:00	Debian Importer	Affected by	VCID-3qce-a24m-yue1	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:11:16.764553+00:00	Debian Importer	Affected by	VCID-x5p9-vthx-tud8	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:10:59.381139+00:00	Debian Importer	Affected by	VCID-szpa-skfv-bygh	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:10:05.472947+00:00	Debian Importer	Affected by	VCID-5781-s1ny-q7ey	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:07:29.356694+00:00	Debian Importer	Affected by	VCID-76w9-hphz-nkg1	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:06:59.825881+00:00	Debian Importer	Affected by	VCID-rf53-w9k3-7ych	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:06:42.825515+00:00	Debian Importer	Affected by	VCID-atx2-yc9p-g3c7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:02:25.955246+00:00	Debian Importer	Affected by	VCID-c7az-aw1f-4yah	https://security-tracker.debian.org/tracker/data/json	38.1.0