CVS commit: pkgsrc/net/dnsdist

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Fri Apr 24 17:11:18 UTC 2026

Modified Files:
        pkgsrc/net/dnsdist: Makefile distinfo

Log Message:
net/dnsdist: Update to version 2.0.5

>From drixter via wip.

2.0.5
Released: 23rd of April 2026
Improvements
Do not keep the parsed EDNS options around
References: pull request 17165

Bug Fixes
Hardened DoQ internal error handling for cross-protocol queries
References: pull request 17170
Give TCP thread as default for definition USE_SINGLE_ACCEPTOR_THREAD
References: #17109, pull request 17168
Hardened DoH3 internal error handling for cross-protocol queries
References: pull request 17173
Handle missing X-Forwarded-For on existing DoH connection
References: pull request 17176
Fix handling of long HTTP/2 Date headers, handle non-POSIX locales
References: pull request 17178
Do not oversize the received buffer with recvmmsg
References: pull request 17166
meson: Add missing checks for TLS_client_method, gnutls_transport_set_fastopen
References: pull request 17179
Fix the StatNode::fullname issue introduced in 2.0.4
References: pull request 17207

2.0.4
Released: 22nd of April 2026
Bug Fixes
CVE-2026-33257: An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The web server is disabled and restricted by an 
ACL by default
References: pull request TBD
CVE-2026-33260: An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The web server is disabled and restricted by an 
ACL by default
References: pull request TBD
CVE-2026-33596: A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to 
a TCP-only or DNS over TLS backend
References: pull request TBD
CVE-2026-33597: A crafted query containing an invalid DNS label can prevent the PRSD detection algorithm executed via DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI 
from being executed
References: pull request TBD
CVE-2026-33598: A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache
References: pull request TBD
CVE-2026-33599: A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade 
(YAML) settings. DDR upgrade is not enabled by default
References: pull request TBD
CVE-2026-33602: A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service
References: pull request TBD
CVE-2026-33254: An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are 
disabled by default
References: pull request TBD
CVE-2026-33595: A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the 
end of the connection. DOQ and DoH3 are disabled by default
References: pull request TBD
CVE-2026-33594: A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not 
be released until the end of the connection. Outgoing DoH is disabled by default
References: pull request TBD
CVE-2026-33593: A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query
References: pull request TBD
Fix passing a numeric value to the YAML QType selector
References: pull request 17089


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 pkgsrc/net/dnsdist/Makefile
cvs rdiff -u -r1.24 -r1.25 pkgsrc/net/dnsdist/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/dnsdist/Makefile
diff -u pkgsrc/net/dnsdist/Makefile:1.47 pkgsrc/net/dnsdist/Makefile:1.48
--- pkgsrc/net/dnsdist/Makefile:1.47    Tue Mar 31 13:31:02 2026
+++ pkgsrc/net/dnsdist/Makefile Fri Apr 24 17:11:17 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.47 2026/03/31 13:31:02 wiz Exp $
+# $NetBSD: Makefile,v 1.48 2026/04/24 17:11:17 wiz Exp $
 
-DISTNAME=      dnsdist-2.0.3
+DISTNAME=      dnsdist-2.0.5
 CATEGORIES=    net
 MASTER_SITES=  https://downloads.powerdns.com/releases/
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/net/dnsdist/distinfo
diff -u pkgsrc/net/dnsdist/distinfo:1.24 pkgsrc/net/dnsdist/distinfo:1.25
--- pkgsrc/net/dnsdist/distinfo:1.24    Tue Mar 31 13:31:02 2026
+++ pkgsrc/net/dnsdist/distinfo Fri Apr 24 17:11:17 2026
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.24 2026/03/31 13:31:02 wiz Exp $
+$NetBSD: distinfo,v 1.25 2026/04/24 17:11:17 wiz Exp $
 
-BLAKE2s (dnsdist-2.0.3.tar.xz) = 8c052b5f0636aa6d1515c9431c033e53b4adc345e0999e1d32c079fb20a6548f
-SHA512 (dnsdist-2.0.3.tar.xz) = 10922b91c39433414fee61e09894fbe1bc4b860558f3f6b4e729db0c561d33a22a17beff4162432bbc0a479b9edbaece735ae1f566a58b7d2da60b7e97b376b9
-Size (dnsdist-2.0.3.tar.xz) = 2285640 bytes
+BLAKE2s (dnsdist-2.0.5.tar.xz) = 547e2c3642ede391c54e07e89569f9c5356f3823c4a95f43cae7471627f9db3a
+SHA512 (dnsdist-2.0.5.tar.xz) = 82eb29c378ac05e1a029a8bd04ca4144a9636ac777020c97090ce0bea3ad215cd7a6fde9218ec4bcb8a4d773730f34ba9f476484f42e7fea34e84717a43f9286
+Size (dnsdist-2.0.5.tar.xz) = 2289448 bytes
 SHA1 (patch-configure) = d9ec9f3416862f471a3029168681b9512ced68b9