Описание
Security update for dnsdist
This update for dnsdist fixes the following issues:
Update to dnsdist 1.9.11:
- CVE-2025-8671: Add mitigations for the HTTP/2 MadeYouReset attack (bsc#1253852).
- CVE-2025-30187: denial of service via crafted DoH exchange (bsc#1250054).
Список пакетов
SUSE Linux Enterprise Module for Basesystem 15 SP7
Ссылки
- Link for SUSE-SU-2026:0888-1
- E-Mail link for SUSE-SU-2026:0888-1
- SUSE Security Ratings
- SUSE Bug 1243566
- SUSE Bug 1250054
- SUSE Bug 1253852
- SUSE CVE CVE-2025-30187 page
- SUSE CVE CVE-2025-8671 page
Описание
In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources.
Затронутые продукты
Ссылки
- CVE-2025-30187
- SUSE Bug 1250054
Описание
A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them-using malformed frames or flow control errors-an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.
Затронутые продукты
Ссылки
- CVE-2025-8671
- SUSE Bug 1243888
- SUSE Bug 1243895