[rpms/dnsdist] rawhide: update to 2.0.7 fixes rhbz#2492858

[rpms/dnsdist] rawhide: update to 2.0.7 fixes rhbz#2492858

[Filipe Rosset]

            A new commit has been pushed.

            Repo   : rpms/dnsdist
            Branch : rawhide
            Commit : 8b0614f43f3d2e0632264e76829400fb189dc870
            Author : Filipe Rosset <filiperosset@fedoraproject.org>
            Date   : 2026-06-25T12:52:50-03:00
            Stats  : +3/-2 in 3 file(s)
            URL    : https://src.fedoraproject.org/rpms/dnsdist/c/8b0614f43f3d2e0632264e76829400fb189dc870?branch=rawhide

            Log:
            update to 2.0.7 fixes rhbz#2492858

Full ChangeLog: https://www.dnsdist.org/changelog.html#change-2.0.7

2.0.7
Released: 25th of June 2026

Bug Fixes
CVE-2026-40210: An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.

References: pull request 17603

CVE-2026-40209: An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors.

References: pull request 17604

CVE-2026-42004: An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.

References: pull request 17607

CVE-2026-40211: An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.

References: pull request 17601

CVE-2026-40208: An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.

References: pull request 17606

CVE-2026-42005: An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

References: pull request 17588

CVE-2026-40011: An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.

References: pull request 17600

Signed-off-by: Filipe Rosset <filiperosset@fedoraproject.org>

---
diff --git a/.gitignore b/.gitignore
index 2b97664..8fea4e8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,3 +33,4 @@
 /dnsdist-2.0.1.tar.xz
 /dnsdist-2.0.3.tar.xz
 /dnsdist-2.0.6.tar.xz
+/dnsdist-2.0.7.tar.xz

diff --git a/dnsdist.spec b/dnsdist.spec
index 46e0f7e..3f41844 100644
--- a/dnsdist.spec
+++ b/dnsdist.spec
@@ -6,7 +6,7 @@
 %endif
 
 Name: dnsdist
-Version: 2.0.6
+Version: 2.0.7
 Release: %autorelease
 Summary: Highly DNS-, DoS- and abuse-aware loadbalancer
 # Automatically converted from old format: GPLv2 - review is highly recommended.

diff --git a/sources b/sources
index a351e52..7e17545 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (dnsdist-2.0.6.tar.xz) = fe8ebb819d73eea8344c56108264f00f1d185a2ffed2a64c5f13997a159bb93b0384fba7c49ee562b3d42f6d091dd34a0e792402e1bec0b47f5988a5dd30c2bd
+SHA512 (dnsdist-2.0.7.tar.xz) = 709f8fde8a5e7d40ed7588cd95aa7ae0f65b4b71f964a6c0bd8b3836ca37ee9b4cd4a94d2ed7fdb7368c1337421693050475c0ece13f4efd4158954c3f0e6c60