955071 – <net-dns/dnsdist-1.9.9: vulnerability to CVE-2025-30194 (DOS via crafted DoH exchange)

Bug 955071 - <net-dns/dnsdist-1.9.9: vulnerability to CVE-2025-30194 (DOS via crafted DoH exchange)

Summary: <net-dns/dnsdist-1.9.9: vulnerability to CVE-2025-30194 (DOS via crafted DoH ...

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal critical
Assignee:	Gentoo Security

URL:	https://mailman.powerdns.com/pipermai...
Whiteboard:	C3 [glsa?]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2025-04-29 11:56 UTC by Holger Hoffstätte
Modified:	2025-04-29 20:42 UTC (History)
CC List:	4 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/41841
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Holger Hoffstätte 2025-04-29 11:56:33 UTC

See $URL and here fore the CVE:
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html

Pull Request is in progress.


Reproducible: Always

Comment 1 Hans de Graaff gentoo-dev

2025-04-29 12:13:35 UTC

Thanks for reporting this. I have removed the version number from the Summary because we use that to indicate the fixed version in Gentoo (which may differ from upstream's fixed version, e.g. when we backport).

Comment 2 Larry the Git Cow gentoo-dev

2025-04-29 20:31:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c166366efafe3f75d787943d3e1125bdd368064e

commit c166366efafe3f75d787943d3e1125bdd368064e
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2025-04-29 11:52:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-04-29 20:31:24 +0000

    net-dns/dnsdist: clean up old
    
    Bug: https://bugs.gentoo.org/955071
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Part-of: https://github.com/gentoo/gentoo/pull/41841
    Closes: https://github.com/gentoo/gentoo/pull/41841
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/dnsdist/Manifest                           |   2 -
 net-dns/dnsdist/dnsdist-1.9.6.ebuild               | 112 -------------------
 net-dns/dnsdist/dnsdist-1.9.8-r2.ebuild            | 120 ---------------------
 ...9.8-fix-compat-with-boost-lockfree-1.87.0.patch |  90 ----------------
 net-dns/dnsdist/files/1.9.8-quiche-0.23.patch      |  52 ---------
 5 files changed, 376 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ec6edbeb8bfb4ea53f83fdce3c94953c24c5fe6

commit 1ec6edbeb8bfb4ea53f83fdce3c94953c24c5fe6
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2025-04-29 11:49:40 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-04-29 20:31:23 +0000

    net-dns/dnsdist: add 1.9.9
    
    This is a direct-to-stable update to fix CVE-2025-30194:
    https://mailman.powerdns.com/pipermail/dnsdist/2025-April/001577.html
    The only changes are the DoH fix + patches we carried in 1.9.8-r2.
    Working fine for me in production.
    
    Bug: https://bugs.gentoo.org/955071
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Part-of: https://github.com/gentoo/gentoo/pull/41841
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/dnsdist/Manifest             |   1 +
 net-dns/dnsdist/dnsdist-1.9.9.ebuild | 115 +++++++++++++++++++++++++++++++++++
 2 files changed, 116 insertions(+)