security@open-xchange.com reports:
When DNSdist is configured to provide DoH via the
nghttp2provider, an attacker can cause a denial of service by
crafting a DoH exchange that triggers an illegal memory
access (double-free) and crash of DNSdist, causing a denial
of service. The remedy is: upgrade to the patched 1.9.9
version. A workaround is to temporarily switch to the h2o
provider until DNSdist has been upgraded to a fixed version.
We would like to thank Charles Howes for bringing this issue
to our attention.