Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package aardvark-dns for openSUSE:Factory checked in at 2026-04-18 21:34:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/aardvark-dns (Old) and /work/SRC/openSUSE:Factory/.aardvark-dns.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aardvark-dns" Sat Apr 18 21:34:03 2026 rev:19 rq:1347281 version:1.17.1 Changes: -------- --- /work/SRC/openSUSE:Factory/aardvark-dns/aardvark-dns.changes 2025-12-24 13:16:46.255596689 +0100 +++ /work/SRC/openSUSE:Factory/.aardvark-dns.new.11940/aardvark-dns.changes 2026-04-18 21:34:10.216173845 +0200 @@ -1,0 +2,9 @@ +Wed Apr 08 01:42:15 UTC 2026 - Danish Prakash <[email protected]> + +- Update to version 1.17.1: + * release v1.17.1 + * release notes for v1.17.1 + * migration to oidc connection + * fix handling of incorrect tcp packets (bsc#1261735, CVE-2026-35406) + +------------------------------------------------------------------- Old: ---- aardvark-dns-1.17.0.obscpio aardvark-dns-1.17.0.tar.gz New: ---- aardvark-dns-1.17.1.obscpio aardvark-dns-1.17.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ aardvark-dns.spec ++++++ --- /var/tmp/diff_new_pack.VWilpy/_old 2026-04-18 21:34:11.552228130 +0200 +++ /var/tmp/diff_new_pack.VWilpy/_new 2026-04-18 21:34:11.556228292 +0200 @@ -1,7 +1,7 @@ # # spec file for package aardvark-dns # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: aardvark-dns -Version: 1.17.0 +Version: 1.17.1 Release: 0 Summary: Authoritative dns server for A/AAAA container records License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.VWilpy/_old 2026-04-18 21:34:11.604230243 +0200 +++ /var/tmp/diff_new_pack.VWilpy/_new 2026-04-18 21:34:11.612230567 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/containers/aardvark-dns</param> <param name="versionformat">@PARENT_TAG@</param> <param name="scm">git</param> - <param name="revision">v1.17.0</param> + <param name="revision">v1.17.1</param> <param name="match-tag">*</param> <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param> <param name="versionrewrite-replacement">\1</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.VWilpy/_old 2026-04-18 21:34:11.640231705 +0200 +++ /var/tmp/diff_new_pack.VWilpy/_new 2026-04-18 21:34:11.644231868 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/containers/aardvark-dns</param> - <param name="changesrevision">2158073ba56807fb1a7731899712a54603c3d150</param></service></servicedata> + <param name="changesrevision">d9d17d4fe9d0a43512f6203042543deb3431a1bb</param></service></servicedata> (No newline at EOF) ++++++ aardvark-dns-1.17.0.obscpio -> aardvark-dns-1.17.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/.cirrus.yml new/aardvark-dns-1.17.1/.cirrus.yml --- old/aardvark-dns-1.17.0/.cirrus.yml 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/.cirrus.yml 2026-04-07 18:28:05.000000000 +0200 @@ -27,7 +27,10 @@ gcp_credentials: ENCRYPTED[f6a0e4101418bec8180783b208721fc990772817364fed0346f5fd126bf0cfca03738dd8c7fb867944637a1eac7cec37] -aws_credentials: ENCRYPTED[db54f7f642877c68cc64fb78468ef99170d387ef6ece5172b2d6fbbb8095d4d276909468c339fe3b38234340bae2189d] +aws_credentials: + role_arn: arn:aws:iam::449134212816:role/aardvark-dns-ci-role + role_session_name: cirrus + region: us-east-1 build_task: alias: "build" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/Cargo.lock new/aardvark-dns-1.17.1/Cargo.lock --- old/aardvark-dns-1.17.0/Cargo.lock 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/Cargo.lock 2026-04-07 18:28:05.000000000 +0200 @@ -4,7 +4,7 @@ [[package]] name = "aardvark-dns" -version = "1.17.0" +version = "1.17.1" dependencies = [ "arc-swap", "chrono", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/Cargo.toml new/aardvark-dns-1.17.1/Cargo.toml --- old/aardvark-dns-1.17.0/Cargo.toml 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/Cargo.toml 2026-04-07 18:28:05.000000000 +0200 @@ -1,7 +1,7 @@ [package] name = "aardvark-dns" # This version specification right below is reused by .packit.sh to generate rpm version -version = "1.17.0" +version = "1.17.1" edition = "2018" authors = ["github.com/containers"] license = "Apache-2.0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/RELEASE_NOTES.md new/aardvark-dns-1.17.1/RELEASE_NOTES.md --- old/aardvark-dns-1.17.0/RELEASE_NOTES.md 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/RELEASE_NOTES.md 2026-04-07 18:28:05.000000000 +0200 @@ -1,5 +1,9 @@ # Release Notes +## v1.17.1 + +* This release fixes a security issue (CVE-2026-35406) where tcp connections where not handled correctly when receiving a malformed packet which causes aardvark-dns to enter a infinite loop at 100% cpu usage which can lead to a DOS attack. Versions before v1.16.0 are unaffected. + ## v1.17.0 * Aardvark-dns now updates the upstream nameservers from /etc/resolv.conf when the file content changes using inotify. This means a container restart is no longer required to re-read resolv.conf. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/src/dns/coredns.rs new/aardvark-dns-1.17.1/src/dns/coredns.rs --- old/aardvark-dns-1.17.0/src/dns/coredns.rs 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/src/dns/coredns.rs 2026-04-07 18:28:05.000000000 +0200 @@ -17,7 +17,6 @@ DnsStreamHandle, }; use log::{debug, error, trace, warn}; -use std::io::Error; use std::net::{IpAddr, SocketAddr}; use std::sync::Arc; use std::sync::Mutex; @@ -83,15 +82,21 @@ break; }, v = receiver.next() => { - let msg_received = match v { - Some(value) => value, + let msg = match v { + Some(value) => match value { + Ok(msg) => msg, + Err(e) => { + debug!("Error parsing dns message {e:?}"); + continue; + }, + }, None => { // None received, nothing to process so continue debug!("None recevied from stream, continue the loop"); continue; } }; - Self::process_message(&self.inner, msg_received, &sender_original, Protocol::Udp).await; + Self::process_message(&self.inner, msg, &sender_original, Protocol::Udp).await; }, res = tcp_listener.accept() => { match res { @@ -122,9 +127,16 @@ // we do not want this so add a 3s timeout then we close the socket. match tokio::time::timeout(Duration::from_secs(3), hickory_stream.next()).await { Ok(message) => match message { - Some(msg) => { - Self::process_message(&data, msg, &sender_original, Protocol::Tcp).await - } + Some(msg_result) => match msg_result { + Ok(msg) => { + Self::process_message(&data, msg, &sender_original, Protocol::Tcp).await + } + Err(e) => { + debug!("Error parsing dns message {e:?}"); + // error on that stream, abort so we do not try reusing this one for more messages. + break; + } + }, // end of stream None => break, }, @@ -140,17 +152,10 @@ async fn process_message( data: &CoreDnsData, - msg_received: Result<SerialMessage, Error>, + msg: SerialMessage, sender_original: &BufDnsStreamHandle, proto: Protocol, ) { - let msg = match msg_received { - Ok(msg) => msg, - Err(e) => { - error!("Error parsing dns message {e:?}"); - return; - } - }; let backend = data.backend.load(); let src_address = msg.addr(); let mut sender = sender_original.with_remote_addr(src_address); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/test/100-basic-name-resolution.bats new/aardvark-dns-1.17.1/test/100-basic-name-resolution.bats --- old/aardvark-dns-1.17.0/test/100-basic-name-resolution.bats 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/test/100-basic-name-resolution.bats 2026-04-07 18:28:05.000000000 +0200 @@ -371,3 +371,29 @@ run_in_container_netns "$a1_pid" "dig" "+short" "second-server.test" "@$gw" assert "$output" == "192.168.100.2" "should resolve using second DNS server after resolv.conf change" } + +@test "check for incorrect tcp packet" { + setup_dnsmasq + + subnet_a=$(random_subnet 5) + create_config network_name="podman1" container_id=$(random_string 64) container_name="aone" subnet="$subnet_a" + config_a1=$config + ip_a1=$(echo "$config_a1" | jq -r .networks.podman1.static_ips[0]) + gw=$(echo "$config_a1" | jq -r .network_info.podman1.subnets[0].gateway) + create_container "$config_a1" + a1_pid=$CONTAINER_NS_PID + + # send custom crafted package, first two bytes mean package length 60 but we never send more and close instead + run_in_container_netns "$a1_pid" socat - TCP4:$gw:53 <<<$'\x00\x3c' + + # wait a second to meaningful check cpu usage + sleep 1 + + av_cpu=$(ps -o c --no-headers -p $(<$AARDVARK_TMPDIR/aardvark-dns/aardvark.pid)) + echo $av_cpu -- + assert "$av_cpu" -lt 5 "aardvark-dns used to much cpu" + + # ensure dns via tcp still works + run_in_container_netns "$a1_pid" "dig" +tcp "+short" "aone" "@$gw" + assert "$ip_a1" +} ++++++ aardvark-dns-1.17.0.tar.gz -> aardvark-dns-1.17.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/.cirrus.yml new/aardvark-dns-1.17.1/.cirrus.yml --- old/aardvark-dns-1.17.0/.cirrus.yml 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/.cirrus.yml 2026-04-07 18:28:05.000000000 +0200 @@ -27,7 +27,10 @@ gcp_credentials: ENCRYPTED[f6a0e4101418bec8180783b208721fc990772817364fed0346f5fd126bf0cfca03738dd8c7fb867944637a1eac7cec37] -aws_credentials: ENCRYPTED[db54f7f642877c68cc64fb78468ef99170d387ef6ece5172b2d6fbbb8095d4d276909468c339fe3b38234340bae2189d] +aws_credentials: + role_arn: arn:aws:iam::449134212816:role/aardvark-dns-ci-role + role_session_name: cirrus + region: us-east-1 build_task: alias: "build" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/Cargo.lock new/aardvark-dns-1.17.1/Cargo.lock --- old/aardvark-dns-1.17.0/Cargo.lock 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/Cargo.lock 2026-04-07 18:28:05.000000000 +0200 @@ -4,7 +4,7 @@ [[package]] name = "aardvark-dns" -version = "1.17.0" +version = "1.17.1" dependencies = [ "arc-swap", "chrono", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/Cargo.toml new/aardvark-dns-1.17.1/Cargo.toml --- old/aardvark-dns-1.17.0/Cargo.toml 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/Cargo.toml 2026-04-07 18:28:05.000000000 +0200 @@ -1,7 +1,7 @@ [package] name = "aardvark-dns" # This version specification right below is reused by .packit.sh to generate rpm version -version = "1.17.0" +version = "1.17.1" edition = "2018" authors = ["github.com/containers"] license = "Apache-2.0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/RELEASE_NOTES.md new/aardvark-dns-1.17.1/RELEASE_NOTES.md --- old/aardvark-dns-1.17.0/RELEASE_NOTES.md 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/RELEASE_NOTES.md 2026-04-07 18:28:05.000000000 +0200 @@ -1,5 +1,9 @@ # Release Notes +## v1.17.1 + +* This release fixes a security issue (CVE-2026-35406) where tcp connections where not handled correctly when receiving a malformed packet which causes aardvark-dns to enter a infinite loop at 100% cpu usage which can lead to a DOS attack. Versions before v1.16.0 are unaffected. + ## v1.17.0 * Aardvark-dns now updates the upstream nameservers from /etc/resolv.conf when the file content changes using inotify. This means a container restart is no longer required to re-read resolv.conf. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/src/dns/coredns.rs new/aardvark-dns-1.17.1/src/dns/coredns.rs --- old/aardvark-dns-1.17.0/src/dns/coredns.rs 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/src/dns/coredns.rs 2026-04-07 18:28:05.000000000 +0200 @@ -17,7 +17,6 @@ DnsStreamHandle, }; use log::{debug, error, trace, warn}; -use std::io::Error; use std::net::{IpAddr, SocketAddr}; use std::sync::Arc; use std::sync::Mutex; @@ -83,15 +82,21 @@ break; }, v = receiver.next() => { - let msg_received = match v { - Some(value) => value, + let msg = match v { + Some(value) => match value { + Ok(msg) => msg, + Err(e) => { + debug!("Error parsing dns message {e:?}"); + continue; + }, + }, None => { // None received, nothing to process so continue debug!("None recevied from stream, continue the loop"); continue; } }; - Self::process_message(&self.inner, msg_received, &sender_original, Protocol::Udp).await; + Self::process_message(&self.inner, msg, &sender_original, Protocol::Udp).await; }, res = tcp_listener.accept() => { match res { @@ -122,9 +127,16 @@ // we do not want this so add a 3s timeout then we close the socket. match tokio::time::timeout(Duration::from_secs(3), hickory_stream.next()).await { Ok(message) => match message { - Some(msg) => { - Self::process_message(&data, msg, &sender_original, Protocol::Tcp).await - } + Some(msg_result) => match msg_result { + Ok(msg) => { + Self::process_message(&data, msg, &sender_original, Protocol::Tcp).await + } + Err(e) => { + debug!("Error parsing dns message {e:?}"); + // error on that stream, abort so we do not try reusing this one for more messages. + break; + } + }, // end of stream None => break, }, @@ -140,17 +152,10 @@ async fn process_message( data: &CoreDnsData, - msg_received: Result<SerialMessage, Error>, + msg: SerialMessage, sender_original: &BufDnsStreamHandle, proto: Protocol, ) { - let msg = match msg_received { - Ok(msg) => msg, - Err(e) => { - error!("Error parsing dns message {e:?}"); - return; - } - }; let backend = data.backend.load(); let src_address = msg.addr(); let mut sender = sender_original.with_remote_addr(src_address); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aardvark-dns-1.17.0/test/100-basic-name-resolution.bats new/aardvark-dns-1.17.1/test/100-basic-name-resolution.bats --- old/aardvark-dns-1.17.0/test/100-basic-name-resolution.bats 2025-11-12 13:42:35.000000000 +0100 +++ new/aardvark-dns-1.17.1/test/100-basic-name-resolution.bats 2026-04-07 18:28:05.000000000 +0200 @@ -371,3 +371,29 @@ run_in_container_netns "$a1_pid" "dig" "+short" "second-server.test" "@$gw" assert "$output" == "192.168.100.2" "should resolve using second DNS server after resolv.conf change" } + +@test "check for incorrect tcp packet" { + setup_dnsmasq + + subnet_a=$(random_subnet 5) + create_config network_name="podman1" container_id=$(random_string 64) container_name="aone" subnet="$subnet_a" + config_a1=$config + ip_a1=$(echo "$config_a1" | jq -r .networks.podman1.static_ips[0]) + gw=$(echo "$config_a1" | jq -r .network_info.podman1.subnets[0].gateway) + create_container "$config_a1" + a1_pid=$CONTAINER_NS_PID + + # send custom crafted package, first two bytes mean package length 60 but we never send more and close instead + run_in_container_netns "$a1_pid" socat - TCP4:$gw:53 <<<$'\x00\x3c' + + # wait a second to meaningful check cpu usage + sleep 1 + + av_cpu=$(ps -o c --no-headers -p $(<$AARDVARK_TMPDIR/aardvark-dns/aardvark.pid)) + echo $av_cpu -- + assert "$av_cpu" -lt 5 "aardvark-dns used to much cpu" + + # ensure dns via tcp still works + run_in_container_netns "$a1_pid" "dig" +tcp "+short" "aone" "@$gw" + assert "$ip_a1" +} ++++++ aardvark-dns.obsinfo ++++++ --- /var/tmp/diff_new_pack.VWilpy/_old 2026-04-18 21:34:12.008246658 +0200 +++ /var/tmp/diff_new_pack.VWilpy/_new 2026-04-18 21:34:12.012246820 +0200 @@ -1,5 +1,5 @@ name: aardvark-dns -version: 1.17.0 -mtime: 1762951355 -commit: 2158073ba56807fb1a7731899712a54603c3d150 +version: 1.17.1 +mtime: 1775579285 +commit: d9d17d4fe9d0a43512f6203042543deb3431a1bb ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/aardvark-dns/vendor.tar.gz /work/SRC/openSUSE:Factory/.aardvark-dns.new.11940/vendor.tar.gz differ: char 12, line 1
