Best description I've found comes from Arch Wiki: Prior to systemd version 245.2-2, systemd-resolved only validated the DNS server certificate if it was issued for the server's IP address (a rare occurrence). DNS server certificates without an IP address were not checked making systemd-resolved vulnerable to man-in-the-middle attacks. Vulnerability was patched for systemd-246: https://github.com/systemd/systemd/commit/eec394f10bbfcc3d2fc8504ad8ff5be44231abd5 Need to stable 246-r1.
Ready?
Unable to check for sanity: > no match for package: sys-apps/systemd-246
Sanity check failed: > sys-apps/systemd-246-r1 > pdepend amd64 stable profile default/linux/amd64/17.0 (68 total) > >=sys-fs/udev-init-scripts-34 > pdepend amd64 dev profile default/linux/amd64/17.0/x32 (34 total) > >=sys-fs/udev-init-scripts-34
All sanity-check issues have been resolved
hppa stable
arm64 done
x86 done
amd64 done
ppc done
ppc64 done
arm done
sparc done
s390 stable. Maintainer(s), please cleanup. Security, please vote.
Unable to check for sanity: > no match for package: sys-apps/systemd-246-r1
GLSA Vote: No The vulnerability has been disputed. Repository is clean, all done!