Today we have released DNSdist 1.7.5 and 1.8.2, with absolutely no changes with, respectively, 1.7.4 and 1.8.1, apart from the fact that our own DNSdist packages have been rebuilt against our own fork of libh2o in order to mitigate CVE-2023-44487, also known as HTTP/2 rapid reset.
This attack exploits a vulnerability in most implementations of the HTTP/2 protocol, making it easier to cause a denial of service of HTTP/2 servers by sending them crafted queries. While the vulnerability does not come from DNSdist's code, all versions of DNSdist supporting DNS over HTTPS are impacted by this issue if incoming DNS over HTTPS is enabled, which is not the case by default.
As we warned earlier, libh2o is no longer supported as a stable library, and there will be no official release fixing this issue. For this reason we have forked the official h2o repository and backported the fix to the 2.2.x branch, making it available to the public. If you are not using our packages but are compiling DNSdist yourself, or relying on your distribution's packages, please ensure that you are using a patched version of libh2o in order to be protected.
In the very near future we will be releasing DNSdist 1.9.0 where DNS over HTTPS is provided by the nghttp2 library, so we do not have to rely on h2o any longer.
Please see the DNSdist website for the current documentation.
Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.
The tarballs (1.7.5, 1.8.2) and theirs signatures (1.7.5, 1.8.2) are available on the downloads website, and packages for several distributions are available from our repository.
Docker images have not been updated yet but will be soon.
