SUSE-SU-2026:22319-1: moderate: Security update for dnsdist
SLE-SECURITY-UPDATES
null at suse.de
Wed Jul 1 16:41:55 UTC 2026
# Security update for dnsdist
Announcement ID: SUSE-SU-2026:22319-1
Release Date: 2026-06-22T14:30:36Z
Rating: moderate
References:
* bsc#1261236
* bsc#1261237
* bsc#1261238
* bsc#1261239
* bsc#1261240
* bsc#1261241
* bsc#1261243
* bsc#1262536
* bsc#1262537
* bsc#1262538
* bsc#1262539
* bsc#1262540
* bsc#1262541
* bsc#1262542
* bsc#1262543
* bsc#1262544
* bsc#1262545
* bsc#1262546
Cross-References:
* CVE-2026-0396
* CVE-2026-0397
* CVE-2026-24028
* CVE-2026-24029
* CVE-2026-24030
* CVE-2026-27853
* CVE-2026-27854
* CVE-2026-33254
* CVE-2026-33257
* CVE-2026-33260
* CVE-2026-33593
* CVE-2026-33594
* CVE-2026-33595
* CVE-2026-33596
* CVE-2026-33597
* CVE-2026-33598
* CVE-2026-33599
* CVE-2026-33602
CVSS scores:
* CVE-2026-0396 ( SUSE ): 2.1
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-0396 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-0396 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-0396 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2026-0397 ( SUSE ): 2.1
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-0397 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2026-0397 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2026-0397 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2026-24028 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-24028 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-24028 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-24028 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
* CVE-2026-24029 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-24029 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-24029 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-24029 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-24030 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-24030 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-24030 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-24030 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-27853 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-27853 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-27853 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-27853 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-27854 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2026-27854 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
* CVE-2026-27854 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
* CVE-2026-27854 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33254 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33254 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33257 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33257 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33257 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33260 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33260 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33260 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33593 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33594 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33594 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33595 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33595 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33596 ( NVD ): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33596 ( NVD ): 3.1 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33597 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33597 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-33598 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
* CVE-2026-33598 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2026-33599 ( NVD ): 3.1 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-33599 ( NVD ): 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2026-33602 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
* CVE-2026-33602 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP applications 16.0
An update that solves 18 vulnerabilities can now be installed.
## Description:
This update for dnsdist fixes the following issues
* CVE-2026-0396: crafted DNS queries can allow to inject HTML content
(bsc#1261236).
* CVE-2026-0397: CORS misconfiguration can lead to information disclosure
(bsc#1261237).
* CVE-2026-24028: crafted DNS response packet can lead to an out-of-bounds
read (bsc#1261238).
* CVE-2026-24029: HTTPS ACL bypass can allow clients to send DoH queries
(bsc#1261239).
* CVE-2026-24030: allocating too much memory while processing DNS can result
in a denial of service (bsc#1261240).
* CVE-2026-27853: crafted DNS responses can lead to an out-of-bounds write
(bsc#1261241).
* CVE-2026-27854: crafted DNS queries can be used to trigger a use-after-free
(bsc#1261243).
* CVE-2026-33254: Resource exhaustion via DoQ/DoH3 connections (bsc#1262538).
* CVE-2026-33257: Insufficient input validation of internal webserver
(bsc#1262536).
* CVE-2026-33260: Insufficient input validation of internal webserver
(bsc#1262537).
* CVE-2026-33593: Denial of service via crafted DNSCrypt query (bsc#1262546).
* CVE-2026-33594: Outgoing DoH excessive memory allocation (bsc#1262545).
* CVE-2026-33595: DoQ/DoH3 excessive memory allocation (bsc#1262544).
* CVE-2026-33596: TCP backend stream ID overflow (bsc#1262543).
* CVE-2026-33597: PRSD detection denial of service (bsc#1262542).
* CVE-2026-33598: Out-of-bounds read in cache inspection via Lua
(bsc#1262541).
* CVE-2026-33599: Out-of-bounds read in service discovery (bsc#1262540).
* CVE-2026-33602: Off-by-one access when processing crafted UDP responses
(bsc#1262539).
Changes for dnsdist:
* Updated to 1.9.13
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-1027=1
* SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-1027=1
## Package List:
* SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
* dnsdist-1.9.13-160000.1.1
* dnsdist-debugsource-1.9.13-160000.1.1
* dnsdist-debuginfo-1.9.13-160000.1.1
* SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
* dnsdist-1.9.13-160000.1.1
* dnsdist-debugsource-1.9.13-160000.1.1
* dnsdist-debuginfo-1.9.13-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2026-0396.html
* https://www.suse.com/security/cve/CVE-2026-0397.html
* https://www.suse.com/security/cve/CVE-2026-24028.html
* https://www.suse.com/security/cve/CVE-2026-24029.html
* https://www.suse.com/security/cve/CVE-2026-24030.html
* https://www.suse.com/security/cve/CVE-2026-27853.html
* https://www.suse.com/security/cve/CVE-2026-27854.html
* https://www.suse.com/security/cve/CVE-2026-33254.html
* https://www.suse.com/security/cve/CVE-2026-33257.html
* https://www.suse.com/security/cve/CVE-2026-33260.html
* https://www.suse.com/security/cve/CVE-2026-33593.html
* https://www.suse.com/security/cve/CVE-2026-33594.html
* https://www.suse.com/security/cve/CVE-2026-33595.html
* https://www.suse.com/security/cve/CVE-2026-33596.html
* https://www.suse.com/security/cve/CVE-2026-33597.html
* https://www.suse.com/security/cve/CVE-2026-33598.html
* https://www.suse.com/security/cve/CVE-2026-33599.html
* https://www.suse.com/security/cve/CVE-2026-33602.html
* https://bugzilla.suse.com/show_bug.cgi?id=1261236
* https://bugzilla.suse.com/show_bug.cgi?id=1261237
* https://bugzilla.suse.com/show_bug.cgi?id=1261238
* https://bugzilla.suse.com/show_bug.cgi?id=1261239
* https://bugzilla.suse.com/show_bug.cgi?id=1261240
* https://bugzilla.suse.com/show_bug.cgi?id=1261241
* https://bugzilla.suse.com/show_bug.cgi?id=1261243
* https://bugzilla.suse.com/show_bug.cgi?id=1262536
* https://bugzilla.suse.com/show_bug.cgi?id=1262537
* https://bugzilla.suse.com/show_bug.cgi?id=1262538
* https://bugzilla.suse.com/show_bug.cgi?id=1262539
* https://bugzilla.suse.com/show_bug.cgi?id=1262540
* https://bugzilla.suse.com/show_bug.cgi?id=1262541
* https://bugzilla.suse.com/show_bug.cgi?id=1262542
* https://bugzilla.suse.com/show_bug.cgi?id=1262543
* https://bugzilla.suse.com/show_bug.cgi?id=1262544
* https://bugzilla.suse.com/show_bug.cgi?id=1262545
* https://bugzilla.suse.com/show_bug.cgi?id=1262546
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260701/76f6a88e/attachment.htm>
More information about the sle-security-updates
mailing list