CVE-2025-30193

In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service.

The remedy is: upgrade to the patched 1.9.10 version.

A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection setting.

We would like to thank Renaud Allard for bringing this issue to our attention.

References

Affected packages

Debian:11 / dnsdist

Package

Name: dnsdist
Purl: pkg:deb/debian/dnsdist?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.1-3

1.6.0-1

1.6.0-2

1.6.1-1

1.7.0-1

1.7.1-1

1.7.2-1

1.7.2-2

1.7.3-1

1.7.3-2

1.8.0-1

1.8.1-1

1.8.2-1

1.8.2-2

1.8.2-3

1.8.3-1

1.8.3-2

1.8.3-3

1.9.3-1

1.9.4-1

1.9.5-1

1.9.6-1

1.9.8-1

1.9.9-1

1.9.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / dnsdist

Package

Name: dnsdist
Purl: pkg:deb/debian/dnsdist?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.3-2

1.8.0-1

1.8.1-1

1.8.2-1

1.8.2-2

1.8.2-3

1.8.3-1

1.8.3-2

1.8.3-3

1.9.3-1

1.9.4-1

1.9.5-1

1.9.6-1

1.9.8-1

1.9.9-1

1.9.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / dnsdist

Package

Name: dnsdist
Purl: pkg:deb/debian/dnsdist?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.10-1

Affected versions

1.*

1.7.3-2

1.8.0-1

1.8.1-1

1.8.2-1

1.8.2-2

1.8.2-3

1.8.3-1

1.8.3-2

1.8.3-3

1.9.3-1

1.9.4-1

1.9.5-1

1.9.6-1

1.9.8-1

1.9.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}