[Pdns-users] PowerDNS Security Advisory 2025-05 for DNSdist: Denial of service via crafted DoH exchange

Thu, 18 Sep 2025 02:18:11 -0700 

Hello!
Today we have released PowerDNS DNSdist 1.9.11 and 2.0.1. These releases fix PowerDNS Security Advisory 2025-05 for DNSdist, a denial of service via crafted DoH exchange. While working on adding mitigations against the MadeYouReset (CVE-2025-8671) attack, we noticed a potential denial of service in our DNS over HTTPS implementation when using the nghttp2 provider: an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. We assigned CVE-2025-30187 to this issue. The offending code was introduced in DNSdist 1.9.0-alpha1 so previous versions are not affected. 


In addition to fixing this issue, the 1.9.11 and 2.0.1 releases add 
several mitigations against the MadeYouReset (CVE-2025-8671) attack. Our 
packages also fix several security issues that have been discovered in 
Cloudflare's Quiche implementation for DoQ and DoH3 (CVE-2025-4820, 
CVE-2025-4821, CVE-2025-7054).



The 2.0.1 release also contains several bug fixes and performance 
improvements.



Please see the DNSdist website [1] for the more complete changelogs 
[2][3] and the current documentation. The upgrade guide is also 
available there [4].



Please send us all feedback and issues you might have via the mailing 
list, or in case of a bug, via GitHub [5].



The release tarballs [6][8] and their signatures [7][9] are available on 
the downloads website, and packages for several distributions are 
available from our repository [10].


[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html#change-1.9.11
[3]: https://dnsdist.org/changelog.html#change-2.0.1
[4]: https://dnsdist.org/upgrade_guide.html
[5]: https://github.com/PowerDNS/pdns/issues/new/choose
[6]:
https://downloads.powerdns.com/releases/dnsdist-1.9.11.tar.bz2
[7]:
https://downloads.powerdns.com/releases/dnsdist-1.9.11.tar.bz2.sig
[8]:
https://downloads.powerdns.com/releases/dnsdist-2.0.1.tar.xz
[9]:
https://downloads.powerdns.com/releases/dnsdist-2.0.1.tar.xz.sig
[10]: https://repo.powerdns.com



Attachment:
OpenPGP_signature.asc

Description: OpenPGP digital signature


_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users














    











					Reply via email to