{"id":"SUSE-SU-2026:1618-1","summary":"Security update for dnsdist","details":"This update for dnsdist fixes the following issues:\n\nUpdate to version 1.9.12.\n\n- https://www.dnsdist.org/changelog.html#change-1.9.12\n\nSecurity issues fixed:\n\n- CVE-2026-0396: crafted DNS queries triggering domain-based dynamic rules can lead to HTML injection in the web\n  dashboard (bsc#1261236).\n- CVE-2026-0397: misconfiguration of the CORS policy can lead to information disclosure (bsc#1261237).\n- CVE-2026-24028: crafted DNS packet parsed by Lua code using `newDNSPacketOverlay` can lead to an out-of-bounds read\n  (bsc#1261238).\n- CVE-2026-24029: disabled option on a DNS over HTTPS nghttp2 frontend allows clients to bypass ACLs and send DoH\n  queries (bsc#1261239).\n- CVE-2026-24030: crafted DoQ and DoH3 queries can lead to unbounded memory allocation and DoS (bsc#1261240).\n- CVE-2026-27853: crafted DNS responses sent to a DNSdist using certain methods in custom Lua code (`changeName`) can\n  lead to an out-of-bounds write (bsc#1261243).  \n- CVE-2026-27854: crafted DNS queries sent to a DNSdist using the `DNSQuestion:getEDNSOptions` method in custom Lua\n  code can lead to a use-after-free (bsc#1261241).\n","modified":"2026-04-25T07:46:27.091003Z","published":"2026-04-24T14:25:54Z","related":["CVE-2026-0396","CVE-2026-0397","CVE-2026-24028","CVE-2026-24029","CVE-2026-24030","CVE-2026-27853","CVE-2026-27854"],"upstream":["CVE-2026-0396","CVE-2026-0397","CVE-2026-24028","CVE-2026-24029","CVE-2026-24030","CVE-2026-27853","CVE-2026-27854"],"references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2026/suse-su-20261618-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1261236"},{"type":"REPORT","url":"https://bugzilla.suse.com/1261237"},{"type":"REPORT","url":"https://bugzilla.suse.com/1261238"},{"type":"REPORT","url":"https://bugzilla.suse.com/1261239"},{"type":"REPORT","url":"https://bugzilla.suse.com/1261240"},{"type":"REPORT","url":"https://bugzilla.suse.com/1261241"},{"type":"REPORT","url":"https://bugzilla.suse.com/1261243"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-0396"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-0397"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-24028"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-24029"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-24030"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-27853"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-27854"}],"affected":[{"package":{"name":"dnsdist","ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15 SP7","purl":"pkg:rpm/suse/dnsdist&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.9.12-150700.3.9.1"}]}],"ecosystem_specific":{"binaries":[{"dnsdist":"1.9.12-150700.3.9.1"}]},"database_specific":{"source":"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1618-1.json"}}],"schema_version":"1.7.5"}