[Git][security-tracker-team/security-tracker][master] pdns, pdns-rec, dnsdist DSAs

Tue Apr 28 19:45:56 BST 2026


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
23af1399 by Moritz Mühlenhoff at 2026-04-28T20:44:36+02:00
pdns, pdns-rec, dnsdist DSAs

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -15048,49 +15048,42 @@ CVE-2025-15618 (Business::OnlinePayment::StoredTransaction versions through 0.01
 	NOT-FOR-US: Business::OnlinePayment::StoredTransaction Perl module
 CVE-2026-0396 (An attacker might be able to inject HTML content into the internal web ...)
 	- dnsdist 2.0.3-1
-	[trixie] - dnsdist <no-dsa> (Minor issue)
 	[bookworm] - dnsdist <end-of-life> (See #1119290)
 	[bullseye] - dnsdist <end-of-life> (see #1119290)
 	NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html
 	NOTE: https://downloads.powerdns.com/patches/2026-02/
 CVE-2026-0397 (When the internal webserver is enabled (default is disabled), an attac ...)
 	- dnsdist 2.0.3-1
-	[trixie] - dnsdist <no-dsa> (Minor issue)
 	[bookworm] - dnsdist <end-of-life> (See #1119290)
 	[bullseye] - dnsdist <end-of-life> (see #1119290)
 	NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html
 	NOTE: https://downloads.powerdns.com/patches/2026-02/
 CVE-2026-24028 (An attacker might be able to trigger an out-of-bounds read by sending  ...)
 	- dnsdist 2.0.3-1
-	[trixie] - dnsdist <no-dsa> (Minor issue)
 	[bookworm] - dnsdist <end-of-life> (See #1119290)
 	[bullseye] - dnsdist <end-of-life> (see #1119290)
 	NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html
 	NOTE: https://downloads.powerdns.com/patches/2026-02/
 CVE-2026-24029 (When the early_acl_drop (earlyACLDrop in Lua) option is disabled (defa ...)
 	- dnsdist 2.0.3-1
-	[trixie] - dnsdist <no-dsa> (Minor issue)
 	[bookworm] - dnsdist <end-of-life> (See #1119290)
 	[bullseye] - dnsdist <end-of-life> (see #1119290)
 	NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html
 	NOTE: https://downloads.powerdns.com/patches/2026-02/
 CVE-2026-24030 (An attacker might be able to trick DNSdist into allocating too much me ...)
 	- dnsdist 2.0.3-1
-	[trixie] - dnsdist <no-dsa> (Minor issue)
 	[bookworm] - dnsdist <end-of-life> (See #1119290)
 	[bullseye] - dnsdist <end-of-life> (see #1119290)
 	NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html
 	NOTE: https://downloads.powerdns.com/patches/2026-02/
 CVE-2026-27853 (An attacker might be able to trigger an out-of-bounds write by sending ...)
 	- dnsdist 2.0.3-1
-	[trixie] - dnsdist <no-dsa> (Minor issue)
 	[bookworm] - dnsdist <end-of-life> (See #1119290)
 	[bullseye] - dnsdist <end-of-life> (see #1119290)
 	NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html
 	NOTE: https://downloads.powerdns.com/patches/2026-02/
 CVE-2026-27854 (An attacker might be able to trigger a use-after-free by sending craft ...)
 	- dnsdist 2.0.3-1
-	[trixie] - dnsdist <no-dsa> (Minor issue)
 	[bookworm] - dnsdist <end-of-life> (See #1119290)
 	[bullseye] - dnsdist <end-of-life> (see #1119290)
 	NOTE: https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,12 @@
+[28 Apr 2026] DSA-6235-1 dnsdist - security update
+	{CVE-2026-0396 CVE-2026-0397 CVE-2026-24028 CVE-2026-24029 CVE-2026-24030 CVE-2026-27853 CVE-2026-27854 CVE-2026-33254 CVE-2026-33257 CVE-2026-33260 CVE-2026-33593 CVE-2026-33594 CVE-2026-33595 CVE-2026-33596 CVE-2026-33597 CVE-2026-33598 CVE-2026-33599 CVE-2026-33602}
+	[trixie] - dnsdist 1.9.14-0+deb13u1
+[28 Apr 2026] DSA-6234-1 pdns-recursor - security update
+	{CVE-2026-33257 CVE-2026-33258 CVE-2026-33259 CVE-2026-33260 CVE-2026-33261 CVE-2026-33600 CVE-2026-33601}
+	[trixie] - pdns-recursor 5.2.9-0+deb13u1
+[28 Apr 2026] DSA-6233-1 pdns - security update
+	{CVE-2026-33257 CVE-2026-33260 CVE-2026-33608 CVE-2026-33609 CVE-2026-33610 CVE-2026-33611}
+	[trixie] - pdns 4.9.14-0+deb13u1
 [28 Apr 2026] DSA-6232-1 webkit2gtk - security update
 	{CVE-2025-46299 CVE-2026-20643 CVE-2026-20664 CVE-2026-20665 CVE-2026-20691 CVE-2026-28857 CVE-2026-28859 CVE-2026-28861 CVE-2026-28871}
 	[trixie] - webkit2gtk 2.52.3-2~deb13u1


=====================================
data/dsa-needed.txt
=====================================
@@ -22,8 +22,6 @@ corosync
 --
 cups
 --
-dnsdist/stable (jmm)
---
 dovecot/oldstable
   Regression fix for #1134464
 --
@@ -77,10 +75,6 @@ openvswitch
 pdfminer (carnil)
   Required followup for CVE-2025-64512 as original fix was incomplete.
 --
-pdns/stable (jmm)
---
-pdns-recursor/stable (jmm)
---
 php-laravel-framework/oldstable
 --
 python-aiohttp



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23af13998352412e881867bdc528124ab60fc4b3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23af13998352412e881867bdc528124ab60fc4b3
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260428/de5a418a/attachment-0001.htm>
