Security update for dnsdist

Announcement ID:	SUSE-SU-2026:1618-1
Release Date:	2026-04-24T14:25:54Z
Rating:	moderate
References:	bsc#1261236 bsc#1261237 bsc#1261238 bsc#1261239 bsc#1261240 bsc#1261241 bsc#1261243
Cross-References:	CVE-2026-0396 CVE-2026-0397 CVE-2026-24028 CVE-2026-24029 CVE-2026-24030 CVE-2026-27853 CVE-2026-27854
CVSS scores:	CVE-2026-0396 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2026-0396 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2026-0396 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2026-0396 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2026-0397 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-0397 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2026-0397 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2026-0397 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2026-24028 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-24028 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-24028 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-24028 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2026-24029 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2026-24029 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-24029 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-24029 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-24030 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-24030 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-24030 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-24030 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-27853 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-27853 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-27853 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-27853 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-27854 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-27854 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2026-27854 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2026-27854 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Basesystem Module 15-SP7 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves seven vulnerabilities can now be installed.

Description:

This update for dnsdist fixes the following issues:

Update to version 1.9.12.

• https://www.dnsdist.org/changelog.html#change-1.9.12

Security issues fixed:

• CVE-2026-0396: crafted DNS queries triggering domain-based dynamic rules can lead to HTML injection in the web dashboard (bsc#1261236).
• CVE-2026-0397: misconfiguration of the CORS policy can lead to information disclosure (bsc#1261237).
• CVE-2026-24028: crafted DNS packet parsed by Lua code using newDNSPacketOverlay can lead to an out-of-bounds read (bsc#1261238).
• CVE-2026-24029: disabled option on a DNS over HTTPS nghttp2 frontend allows clients to bypass ACLs and send DoH queries (bsc#1261239).
• CVE-2026-24030: crafted DoQ and DoH3 queries can lead to unbounded memory allocation and DoS (bsc#1261240).
• CVE-2026-27853: crafted DNS responses sent to a DNSdist using certain methods in custom Lua code (changeName) can lead to an out-of-bounds write (bsc#1261243).
• CVE-2026-27854: crafted DNS queries sent to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code can lead to a use-after-free (bsc#1261241).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-1618=1

Package List:

• Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • dnsdist-debugsource-1.9.12-150700.3.9.1
  • dnsdist-debuginfo-1.9.12-150700.3.9.1
  • dnsdist-1.9.12-150700.3.9.1

References:

• https://www.suse.com/security/cve/CVE-2026-0396.html
• https://www.suse.com/security/cve/CVE-2026-0397.html
• https://www.suse.com/security/cve/CVE-2026-24028.html
• https://www.suse.com/security/cve/CVE-2026-24029.html
• https://www.suse.com/security/cve/CVE-2026-24030.html
• https://www.suse.com/security/cve/CVE-2026-27853.html
• https://www.suse.com/security/cve/CVE-2026-27854.html
• https://bugzilla.suse.com/show_bug.cgi?id=1261236
• https://bugzilla.suse.com/show_bug.cgi?id=1261237
• https://bugzilla.suse.com/show_bug.cgi?id=1261238
• https://bugzilla.suse.com/show_bug.cgi?id=1261239
• https://bugzilla.suse.com/show_bug.cgi?id=1261240
• https://bugzilla.suse.com/show_bug.cgi?id=1261241
• https://bugzilla.suse.com/show_bug.cgi?id=1261243