π ~4 min read β’ Source: SUSE advisory SUSE-SU-2026:0888-1 (see also SUSE bugzilla)
Related CVEs: CVE-2025-8671 CVE-2016-7069 CVE-2024-25581 CVE-2025-30193 CVE-2025-30194 CVE-2025-30187 CVE-2017-7557 CVE-2018-14663
Upstream summary: A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them-using malformed frames or flow control errors-an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol
Table of contents
Symptom & Impact
On SLES 16 hosts that have dnsdist installed, administrators report behaviour consistent with SUSE advisory SUSE-SU-2026:0888-1: zypper patch-check lists open patches, services backed by dnsdist fail or restart unexpectedly, SELinux denials (avc) appear in ausearch β and for security-rated advisories the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever dnsdist sits on the serving path.
Environment & Reproduction
Reproduction targets SLES 16. Confirm release, registration, and installed package:
cat /etc/os-release
SUSEConnect --status-text
SUSEConnect --list-extensions 2>/dev/null | head -30
rpm -q dnsdist
zypper info dnsdist | head -20Trigger the workflow that exposes dnsdist β multiple vulnerabilities (8 CVEs) β patch and remediation guide while collecting:
sudo journalctl -u dnsdist -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/zypp/history
sudo tail -200 /var/log/audit/audit.log
# For SUSE support, bundle evidence with supportconfig:
sudo supportconfig -R /var/tmp -B dnsdistRoot Cause Analysis
Root cause is documented in SUSE advisory SUSE-SU-2026:0888-1. SUSE security maintainers shipped fixes in the corresponding dnsdist update for SLES 16; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate zypper history with system logs:
sudo zypper history | grep dnsdist
sudo zypper history --since='-7 days' | tail -40
sudo ausearch -m AVC,USER_AVC -ts today | tail -100
cat /proc/sys/kernel/tainted # non-zero = tainted kernel / out-of-tree modulesQuick Triage
Run these on SLES 16 to capture the current state of dnsdist:
rpm -q dnsdist # installed NVR
rpm -V dnsdist # verify shipped files
sudo zypper patch-check # open patches
sudo zypper lp -r SUSE-SLE-Server-16-* 2>/dev/null | head
systemctl --failed --no-pager
sudo firewall-cmd --list-all
getenforce # SELinux mode
# If dnsdist ships a systemd unit (unit name may differ from pkg name, e.g.
# bindβnamed, postgresql-serverβpostgresql, php-fpmβphp-fpm):
systemctl list-unit-files | grep -i dnsdist | headStep-by-Step Diagnosis
-
List failed systemd units.
systemctl --failed --no-pager -
Tail the journal for
dnsdistand the system bus.sudo journalctl -u dnsdist -f --no-pager sudo journalctl -xe -f --no-pager -
Inspect firewall posture (firewalld is the default on SLES 15+).
sudo firewall-cmd --list-all-zones --permanent sudo nft list ruleset 2>/dev/null | head -50 -
Surface SELinux denials and author a local policy module if needed.
sudo ausearch -m AVC,USER_AVC -ts today sudo ausearch -m AVC -ts today | audit2allow -a -M /tmp/local-fix sudo semodule -i /tmp/local-fix.pp -
Verify
dnsdistintegrity and reinstall if anything is altered.sudo rpm -V dnsdist sudo zypper verify sudo zypper install --force dnsdist -
Correlate findings with
/var/log/zypp/history,zypper history, and SUSE advisory SUSE-SU-2026:0888-1 to pin the change that introduced dnsdist β multiple vulnerabilities (8 CVEs) β patch and remediation guide.
Solution – Primary Fix
Apply the corrective zypper transaction referenced by SUSE advisory SUSE-SU-2026:0888-1, then reload affected systemd units:
sudo zypper ref # refresh repos
sudo zypper -n patch # apply ALL open patches (recommended)
# Or target a single package:
sudo zypper -n update dnsdist
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i dnsdist | head
sudo systemctl restart dnsdist
rpm -q dnsdist # confirm new NVR
systemctl is-active dnsdist 2>/dev/null # confirm running (if a unit exists)For kernel / glibc / systemd / openssl advisories a reboot is required (or SLE Live Patching where licensed):
sudo zypper ps -s # services using deleted libs
sudo systemctl reboot # or: sudo shutdown -r now
# SUSE Live Patching (kgraft / klp) avoids reboot for kernel CVEs:
sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
klp -v patches # active livepatchesNeed help rolling this patch across a SUSE fleet? Our IT Solutions & Services team manages SUSE patch windows with SUSE Manager / RMT and Live Patching. Get in touch for a free consultation.
Solution – Alternative Approaches
If the primary patch is not viable, choose from these:
-
Roll back via Snapper (Btrfs snapshots taken automatically before zypper transactions on SLES 16):
sudo snapper list sudo snapper undochange <pre>..<post> # diff between two snapshot numbers sudo snapper rollback <pre> # boot the host into the chosen snapshot -
Lock the package so zypper cannot upgrade it:
sudo zypper al dnsdist # add lock zypper ll | grep dnsdist # list locks sudo zypper rl dnsdist # remove lock -
Install an older NVR if a regression is suspected:
zypper se -s dnsdist # show all available versions sudo zypper install --oldpackage dnsdist-<older-NVR> -
Switch SELinux to permissive briefly to confirm policy is the cause, then re-enforce:
sudo setenforce 0 # reproduce, capture denials, author a custom module: sudo ausearch -m AVC -ts recent | audit2allow -a -M mylocal sudo semodule -i mylocal.pp sudo setenforce 1 -
Where SLE Live Patching is licensed, apply kernel fixes without reboot:
klp -v patches # active livepatches sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
Verification & Acceptance Criteria
All of these should pass after the fix:
rpm -q dnsdist # expected fixed NVR
sudo zypper patch-check # 0 critical patches outstanding
systemctl is-active dnsdist 2>/dev/null
sudo journalctl -u dnsdist --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
getenforce
sudo zypper ps -s # any services still using deleted libsThe original reproduction for dnsdist β multiple vulnerabilities (8 CVEs) β patch and remediation guide must not trigger across two consecutive runs.
Rollback Plan
Capture state before any change:
rpm -qa > /root/rpm-pre.txt
sudo zypper history list > /root/zypper-history-pre.txt
# Snapper takes pre/post snapshots automatically on Btrfs root.
sudo snapper create -d 'pre-patch-dnsdist' # explicit named snapshot
sudo snapper list | headTo revert if the patch is bad:
# Preferred on Btrfs root β boot the prior snapshot:
sudo snapper rollback <snapshot-id>
sudo systemctl reboot
# Or downgrade just the package:
sudo zypper install --oldpackage dnsdist-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart dnsdist
# Custom security policy cleanup:
sudo semodule -r mylocalPrevention & Hardening
Reduce the chance of this recurring on SLES 16:
-
Enable automatic patch installation:
sudo zypper install -y zypper-automatic sudo systemctl enable --now zypper-automatic.timer # Or use YaST: yast2 online_update_configuration -
Subscribe to sle-security-updates and watch suse.com/support/update.
-
Mirror through SUSE Manager or RMT (Repository Mirroring Tool) for controlled rollouts:
sudo zypper install -y rmt-server rmt-cli sudo rmt-cli sync sudo rmt-cli products enable SLES/16/x86_64 -
Lock sensitive packages so they cannot be auto-upgraded:
sudo zypper al dnsdist -
Ensure Snapper is enabled on the root subvolume and pre/post hooks run for every zypper transaction:
sudo snapper -c root get-config | head # Default zypper plugin: /usr/lib/zypp/plugins/commit/snapper.zypp-commit-plugin -
Monitor file integrity with AIDE:
sudo zypper install -y aide sudo aide --init && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db sudo aide --check -
Subscribe to SUSE Live Patching so kernel CVEs can be remediated without reboot:
sudo SUSEConnect -p sle-module-live-patching/16.0/x86_64 sudo zypper install -y kernel-livepatch-$(uname -r | tr - _) klp -v patches -
SLES 16 ships with SELinux in enforcing mode by default; review and maintain custom modules in
/etc/selinux/targeted/rather than disabling enforcement. -
Apply CIS SUSE Linux Enterprise Server Benchmark hardening.
Related Errors & Cross-Refs
Issues that commonly surface alongside dnsdist β multiple vulnerabilities (8 CVEs) β patch and remediation guide: zypper lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags. Useful triage:
sudo zypper ps -s
systemd-analyze critical-chain
sudo ausearch -m AVC -ts today | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/taintedView all sles-16 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: SUSE advisory SUSE-SU-2026:0888-1 (see also SUSE bugzilla). Manual pages useful on SLES 16:
man zypper
man zypper.conf
man systemctl
man journalctl
man firewall-cmd
man snapper
man semanage
man audit2allow
man SUSEConnect
man klpOther resources: SUSE Linux Enterprise Server 16 documentation, suse.com/security, SUSE security blog, and per-package notes in /usr/share/doc/packages/dnsdist/ for components implicated in dnsdist β multiple vulnerabilities (8 CVEs) β patch and remediation guide.
