openSUSE-RU-2026:21160-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-RU-2026:21160-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-RU-2026:21160-1
Upstream
Related
Published
2026-06-25T15:31:46Z
Modified
2026-06-30T18:24:39.473423622Z
Summary
Recommended update for dnscrypt-proxy
Details

This update for dnscrypt-proxy fixes the following issues:

Changes in dnscrypt-proxy:

  • Update to version 2.1.16

    • The "tlsciphersuite" option is now a no-op. Modern TLS stacks no longer expose cipher suite selection in a meaningful way, and the option had become misleading
    • A log size of 0 no longer means "unlimited"; it now correctly disables rotation by size
    • A new "tlspreferrsa" option has been added to prefer RSA cipher suites during the TLS handshake, useful on systems without hardware AES
    • The IP allow/block plugins now support CIDR ranges in addition to single addresses and prefix matching
    • Forwarding rules now support $RESOLVCONF:<file> to pick up upstream resolvers from a resolv.conf-style file, complementing the existing $DHCP syntax
    • Servers that hit a transient high RTT could previously stay penalized forever and never come back into rotation; their RTT estimate now decays so they can recover
    • Servers are no longer penalized for slow responses when the response is actually being served from the stale cache
    • The HTTP transport now handles Alt-Svc: clear properly and reuses HTTP connections more aggressively
    • The cache TTL is now an explicit, configurable parameter rather than being derived implicitly
    • The ""-resolve"" command now reports incomplete DNSSEC support instead of silently treating partial signatures as a success
    • "jsdelivr is now offered as an alternative source URL for resolver lists, providing more redundancy when the primary mirrors are unreachable
  • boo#1260280: vendored google.golang.org/grpc v1.80.0

  • boo#1265785: vendored golang.org/x/net v0.54.0

  • Update to version 2.1.15

    • Proxy hostnames (when using SOCKS/HTTP proxies) are now pre-resolved using bootstrap resolvers if they are domain names
    • Dynamically reduces timeouts as the connection limit is approached
    • Fixed double-bracketing of IPv6 addresses in DoH stamps
    • Cache statistics are now more accurate by only counting queries that actually participate in caching
    • Multiple IP addresses per hostname are now cached instead of randomly selecting one
  • Update to version 2.1.14

    • Added support for client IP address encryption in logs
  • Update to version 2.1.13

    • Manual configuration reload via SIGHUP is now supported regardless of the hot-reload setting, providing more flexibility for system administrators
    • Fixed a regression in IP prefix matching for allow/block lists that could cause incorrect filtering behavior
    • the generate-domains-blocklist script now handles poor network conditions more gracefully
  • Update to version 2.1.12

    • weighted Power of Two (WP2) load balancing strategy has been implemented as the default
    • optional Prometheus metrics endpoint has been added for monitoring
    • additional records in queries are now properly removed before forwarding
    • simple view UI has been removed
  • Update to version 2.1.11

    • web-based monitoring user interface added
    • configuration files hot-reloading implemented
    • HTTP/3 probing
    • added parallel downloading of block lists
  • Updated to version 2.1.8

    • Dependencies have been updated, notably the QUIC implementation, which could be vulnerable to denial-of-service attacks.
    • In forwarding rules, the target can now optionally include a non-standard DNS port number. The port number is also now optional when using IPv6.
    • An annoying log message related to permissions on Windows has been suppressed.
    • Resolver IP addresses can now be refreshed more frequently. Additionally, jitter has been introduced to prevent all resolvers from being refreshed simultaneously. Further changes have been implemented to mitigate issues arising from multiple concurrent attempts to resolve a resolver's IP address.
    • An empty value for "tlsciphersuite" is now equivalent to leaving the property undefined. Previously, it disabled all TLS cipher suites, which had little practical justification.
    • In forwarding rules, an optional *. prefix is now accepted.
  • Update to version 2.1.7

    • Reintroduces support for XSalsa20 enryption in DNSCrypt, which was removed in 2.1.6. Unfortunately, a bunch of servers still only support that encryption system.
    • Added check for lying resolvers was added for DNSCrypt, similar to the one that was already present for DoH and ODoH.
  • With vendored quic-go at 0.48.2 since update to 2.1.6 boo#1222473 and boo#1235156 should be fixed.

  • Update to version 2.1.6

    • Forwarding: in the list of servers for a zone, the $BOOTSTRAP keyword can be included as a shortcut to forward to the bootstrap servers. And the $DHCP keyword can be included to forward to the DNS resolvers provided by the local DHCP server. Based on work by YX Hao, thanks! DHCP forwarding should be considered experimental and my not work on all operating systems. A rule for a zone can mix and match multiple forwarder types, such as 10.0.0.1,10.0.0.254,$DHCP, 192.168.1.1,$BOOTSTRAP. Note that this is not implemented for captive portals yet.
    • Lying resolvers are now skipped, instead of just printing an error. This doesn't apply to captive portal and forwarding entries, which are the only reasonable use case for lying resolvers.
    • Support for XSalsa20 in DNSCrypt has been removed. This was not documented, and was supserseded by XChaCha20 in 2016.
    • Source files are now fetched with compression.
    • DNS64: compatibility has been improved.
    • Forwarding: the root domain (.) can now be forwarded.
    • The ARC caching algorithm has been replaced by the SIEVE algorithm.
    • Properties of multiple servers are now updated simultaneously. The concurrency level can be adjusted with the new cert_refresh_concurrency setting. Contributed by YX Hao.
    • MSI packages for DNSCrypt can now easily be built.
    • New command-line flag: -include-relays to include relays in -list and -list-all.
    • Support for DNS extended error codes has been added.
    • Documentation updates, bug fixes, dependency updates.
References

Affected packages

openSUSE:Leap 16.0 / dnscrypt-proxy

Package

Name
dnscrypt-proxy
Purl
pkg:rpm/opensuse/dnscrypt-proxy&distro=openSUSE%20Leap%2016.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.16-bp160.1.1

Ecosystem specific

{
    "binaries": [
        {
            "dnscrypt-proxy": "2.1.16-bp160.1.1"
        }
    ]
}

Database specific

source
"https://ftp.suse.com/pub/projects/security/osv/openSUSE-RU-2026:21160-1.json"