Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/dnsdist@1.9.10-1%2Bdeb13u1
purl pkg:deb/debian/dnsdist@1.9.10-1%2Bdeb13u1
Next non-vulnerable version 2.0.3-1
Latest non-vulnerable version 2.0.3-1
Risk 1.6
Vulnerabilities affecting this package (7)
Vulnerability Summary Fixed by
VCID-3qce-a24m-yue1
Aliases:
CVE-2026-27853
An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service.
2.0.3-1
Affected by 0 other vulnerabilities.
VCID-atx2-yc9p-g3c7
Aliases:
CVE-2026-24030
An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.
2.0.3-1
Affected by 0 other vulnerabilities.
VCID-c7az-aw1f-4yah
Aliases:
CVE-2026-24029
When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.
2.0.3-1
Affected by 0 other vulnerabilities.
VCID-gx8g-nvhj-1kak
Aliases:
CVE-2026-0397
When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.
2.0.3-1
Affected by 0 other vulnerabilities.
VCID-rf53-w9k3-7ych
Aliases:
CVE-2026-24028
An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.
2.0.3-1
Affected by 0 other vulnerabilities.
VCID-szpa-skfv-bygh
Aliases:
CVE-2026-27854
An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.
2.0.3-1
Affected by 0 other vulnerabilities.
VCID-x5p9-vthx-tud8
Aliases:
CVE-2026-0396
An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.
2.0.3-1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-5781-s1ny-q7ey CVE-2023-44487
GHSA-2m7v-gc89-fjqf
GHSA-qppj-fm5r-hxr3
GHSA-vx74-f528-fxqg
GHSA-xpw8-rcwv-8f8p
GMS-2023-3377
VSV00013
VCID-76w9-hphz-nkg1 In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.10 version. A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection setting. We would like to thank Renaud Allard for bringing this issue to our attention. CVE-2025-30193

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T11:17:17.495620+00:00 Debian Importer Affected by VCID-szpa-skfv-bygh https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T11:13:07.450772+00:00 Debian Importer Affected by VCID-3qce-a24m-yue1 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:59:33.153377+00:00 Debian Importer Fixing VCID-5781-s1ny-q7ey https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:27:05.977015+00:00 Debian Importer Affected by VCID-x5p9-vthx-tud8 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:06:57.965170+00:00 Debian Importer Fixing VCID-76w9-hphz-nkg1 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:04:13.940697+00:00 Debian Importer Affected by VCID-gx8g-nvhj-1kak https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:00:44.087065+00:00 Debian Importer Affected by VCID-atx2-yc9p-g3c7 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T08:48:22.382531+00:00 Debian Importer Affected by VCID-rf53-w9k3-7ych https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T08:42:24.985616+00:00 Debian Importer Affected by VCID-c7az-aw1f-4yah https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-13T07:40:45.560108+00:00 Debian Importer Affected by VCID-szpa-skfv-bygh https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:37:39.625001+00:00 Debian Importer Affected by VCID-3qce-a24m-yue1 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:27:32.383717+00:00 Debian Importer Fixing VCID-5781-s1ny-q7ey https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:03:03.639837+00:00 Debian Importer Affected by VCID-x5p9-vthx-tud8 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T06:47:33.983802+00:00 Debian Importer Fixing VCID-76w9-hphz-nkg1 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T06:45:24.143826+00:00 Debian Importer Affected by VCID-gx8g-nvhj-1kak https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T06:42:45.529242+00:00 Debian Importer Affected by VCID-atx2-yc9p-g3c7 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-11T17:55:02.024850+00:00 Debian Importer Affected by VCID-rf53-w9k3-7ych https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-11T17:51:04.601392+00:00 Debian Importer Affected by VCID-c7az-aw1f-4yah https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-02T17:17:43.114907+00:00 Debian Importer Affected by VCID-gx8g-nvhj-1kak https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-02T17:12:27.069940+00:00 Debian Importer Affected by VCID-3qce-a24m-yue1 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-02T17:11:16.768580+00:00 Debian Importer Affected by VCID-x5p9-vthx-tud8 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-02T17:10:59.385064+00:00 Debian Importer Affected by VCID-szpa-skfv-bygh https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-02T17:10:05.476746+00:00 Debian Importer Fixing VCID-5781-s1ny-q7ey https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-02T17:07:29.360409+00:00 Debian Importer Fixing VCID-76w9-hphz-nkg1 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-02T17:06:59.829461+00:00 Debian Importer Affected by VCID-rf53-w9k3-7ych https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-02T17:06:42.829375+00:00 Debian Importer Affected by VCID-atx2-yc9p-g3c7 https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-02T17:02:25.959840+00:00 Debian Importer Affected by VCID-c7az-aw1f-4yah https://security-tracker.debian.org/tracker/data/json 38.1.0