CVS commit: pkgsrc/net/dnsdist

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/net/dnsdist
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Tue, 31 Mar 2026 13:31:02 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Tue Mar 31 13:31:02 UTC 2026

Modified Files:
        pkgsrc/net/dnsdist: Makefile distinfo
Removed Files:
        pkgsrc/net/dnsdist/patches: patch-dnsdist-protobuf.cc

Log Message:
net/dnsdist: Update to version 2.0.3

Provided by Marcin Gondek in wip.

Improvements

Add a metric for the latency of the latest health-check
Export DNS flags via ProtoBuf
Add a histogram of health-check latencies for backends

Bug Fixes

CVE-2026-0396: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled 
via either "DynBlockRulesGroup:setSuffixMatchRule" or "DynBlockRulesGroup:setSuffixMatchRuleFFI"
CVE-2026-0397: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged into the dashboard into visiting a malicious website and 
extract information about the running configuration from the dashboard
CVE-2026-24028: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses "newDNSPacketOverlay" to parse DNS packets
CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the "nghttp2" provider, the ACL check is skipped, allowing 
all clients to send DoH queries regardless of the configured ACL
CVE-2026-24030: An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in denial of service
CVE-2026-27853: An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the "DNSQuestion:changeName" or "DNSResponse:changeName" methods in 
custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service
CVE-2026-27854: Denial of service when using "DNSQuestion:getEDNSOptions" method in custom Lua code
Fix wrong address being inserted in the rings for responses
Work around Quiche not dealing well with removed congestion algorithms
Fix build error when only protobuf is enabled
Add missing #if statements to dnsdist-lua.cc
Do not keep stale cache entries around for empty pools
Fix handling of IP-only TLS certificates
Handle escaped values in YAML SpoofRaw parameters
Don't start the NetworkListener thread in config check mode


To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 pkgsrc/net/dnsdist/Makefile
cvs rdiff -u -r1.23 -r1.24 pkgsrc/net/dnsdist/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/net/dnsdist/patches/patch-dnsdist-protobuf.cc

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/dnsdist/Makefile
diff -u pkgsrc/net/dnsdist/Makefile:1.46 pkgsrc/net/dnsdist/Makefile:1.47
--- pkgsrc/net/dnsdist/Makefile:1.46    Fri Feb  6 10:05:30 2026
+++ pkgsrc/net/dnsdist/Makefile Tue Mar 31 13:31:02 2026
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.46 2026/02/06 10:05:30 wiz Exp $
+# $NetBSD: Makefile,v 1.47 2026/03/31 13:31:02 wiz Exp $
 
-DISTNAME=      dnsdist-2.0.2
-PKGREVISION=   3
+DISTNAME=      dnsdist-2.0.3
 CATEGORIES=    net
 MASTER_SITES=  https://downloads.powerdns.com/releases/
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/net/dnsdist/distinfo
diff -u pkgsrc/net/dnsdist/distinfo:1.23 pkgsrc/net/dnsdist/distinfo:1.24
--- pkgsrc/net/dnsdist/distinfo:1.23    Thu Dec  4 23:18:59 2025
+++ pkgsrc/net/dnsdist/distinfo Tue Mar 31 13:31:02 2026
@@ -1,7 +1,6 @@
-$NetBSD: distinfo,v 1.23 2025/12/04 23:18:59 wiz Exp $
+$NetBSD: distinfo,v 1.24 2026/03/31 13:31:02 wiz Exp $
 
-BLAKE2s (dnsdist-2.0.2.tar.xz) = f7a18e3afe863255aaaf040ca6c8f573365ea415f4483062c5c6d71d0211b4c1
-SHA512 (dnsdist-2.0.2.tar.xz) = 7f53d13bb90b7b70da364341e50473b88be0bc9619e3263e352bed75aa57edbc018824439749956281a2c7a5d32c653e7378fe9d3cbc296042fa8120eee75fae
-Size (dnsdist-2.0.2.tar.xz) = 2284864 bytes
+BLAKE2s (dnsdist-2.0.3.tar.xz) = 8c052b5f0636aa6d1515c9431c033e53b4adc345e0999e1d32c079fb20a6548f
+SHA512 (dnsdist-2.0.3.tar.xz) = 10922b91c39433414fee61e09894fbe1bc4b860558f3f6b4e729db0c561d33a22a17beff4162432bbc0a479b9edbaece735ae1f566a58b7d2da60b7e97b376b9
+Size (dnsdist-2.0.3.tar.xz) = 2285640 bytes
 SHA1 (patch-configure) = d9ec9f3416862f471a3029168681b9512ced68b9
-SHA1 (patch-dnsdist-protobuf.cc) = fdcf6de86f307420c151bb18c15027dbc69e40ea

Prev by Date: CVS commit: [pkgsrc-2026Q1] pkgsrc/devel/ruby-redmine51
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: [pkgsrc-2026Q1] pkgsrc/devel/ruby-redmine51
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index