{"id":"openSUSE-RU-2026:21160-1","summary":"Recommended update for dnscrypt-proxy","details":"This update for dnscrypt-proxy fixes the following issues:\n\nChanges in dnscrypt-proxy:\n\n- Update to version 2.1.16\n  * The \"tls_cipher_suite\" option is now a no-op. Modern TLS stacks no longer\n    expose cipher suite selection in a meaningful way, and the option had become\n    misleading\n  * A log size of 0 no longer means \"unlimited\"; it now correctly disables\n    rotation by size\n  * A new \"tls_prefer_rsa\" option has been added to prefer RSA cipher suites\n    during the TLS handshake, useful on systems without hardware AES\n  * The IP allow/block plugins now support CIDR ranges in addition to single\n    addresses and prefix matching\n  * Forwarding rules now support `$RESOLVCONF:\u003cfile\u003e` to pick up upstream\n    resolvers from a resolv.conf-style file, complementing the existing `$DHCP`\n    syntax\n  * Servers that hit a transient high RTT could previously stay penalized\n    forever and never come back into rotation; their RTT estimate now decays so\n    they can recover\n  * Servers are no longer penalized for slow responses when the response is\n    actually being served from the stale cache\n  * The HTTP transport now handles `Alt-Svc: clear` properly and reuses HTTP\n    connections more aggressively\n  * The cache TTL is now an explicit, configurable parameter rather than being\n    derived implicitly\n  * The \"\"-resolve\"\" command now reports incomplete DNSSEC support instead of\n    silently treating partial signatures as a success\n  * \"jsdelivr is now offered as an alternative source URL for resolver\n    lists, providing more redundancy when the primary mirrors are unreachable\n\n- boo#1260280: vendored google.golang.org/grpc v1.80.0\n- boo#1265785: vendored golang.org/x/net v0.54.0\n\n- Update to version 2.1.15\n  * Proxy hostnames (when using SOCKS/HTTP proxies) are now pre-resolved using\n      bootstrap resolvers if they are domain names\n  * Dynamically reduces timeouts as the connection limit is approached\n  * Fixed double-bracketing of IPv6 addresses in DoH stamps\n  * Cache statistics are now more accurate by only counting queries that\n      actually participate in caching\n  * Multiple IP addresses per hostname are now cached instead of randomly\n      selecting one\n\n- Update to version 2.1.14\n  * Added support for client IP address encryption in logs\n\n- Update to version 2.1.13\n  * Manual configuration reload via SIGHUP is now supported regardless of the\n    hot-reload setting, providing more flexibility for system administrators\n  * Fixed a regression in IP prefix matching for allow/block lists that could\n    cause incorrect filtering behavior\n  * the generate-domains-blocklist script now handles poor network conditions\n    more gracefully\n\n- Update to version 2.1.12\n  * weighted Power of Two (WP2) load balancing strategy has been\n    implemented as the default\n  * optional Prometheus metrics endpoint has been added for monitoring\n  * additional records in queries are now properly removed before forwarding\n  * simple view UI has been removed\n\n- Update to version 2.1.11\n  * web-based monitoring user interface added\n  * configuration files hot-reloading implemented\n  * HTTP/3 probing\n  * added parallel downloading of block lists\n\n- Updated to version 2.1.8\n  * Dependencies have been updated, notably the QUIC implementation, which could\n    be vulnerable to denial-of-service attacks.\n  * In forwarding rules, the target can now optionally include a non-standard\n    DNS port number. The port number is also now optional when using IPv6.\n  * An annoying log message related to permissions on Windows has been\n    suppressed.\n  * Resolver IP addresses can now be refreshed more frequently. Additionally,\n    jitter has been introduced to prevent all resolvers from being refreshed\n    simultaneously. Further changes have been implemented to mitigate issues\n    arising from multiple concurrent attempts to resolve a resolver's IP\n    address.\n  * An empty value for \"tls_cipher_suite\" is now equivalent to leaving the\n    property undefined. Previously, it disabled all TLS cipher suites, which had\n    little practical justification.\n  * In forwarding rules, an optional `*.` prefix is now accepted.\n\n- Update to version 2.1.7\n  * Reintroduces support for XSalsa20 enryption in DNSCrypt,\n    which was removed in 2.1.6. Unfortunately, a bunch of servers still\n    only support that encryption system.\n  * Added check for lying resolvers was added for DNSCrypt, similar to\n    the one that was already present for DoH and ODoH.\n\n- With vendored quic-go at 0.48.2 since update to 2.1.6\n  boo#1222473 and boo#1235156 should be fixed.\n\n- Update to version 2.1.6\n  * Forwarding: in the list of servers for a zone, the `$BOOTSTRAP`\n    keyword can be included as a shortcut to forward to the bootstrap\n    servers. And the `$DHCP` keyword can be included to forward to the\n    DNS resolvers provided by the local DHCP server. Based on work by YX\n    Hao, thanks! DHCP forwarding should be considered experimental and my\n    not work on all operating systems. A rule for a zone can mix and\n    match multiple forwarder types, such as `10.0.0.1,10.0.0.254,$DHCP,\n    192.168.1.1,$BOOTSTRAP`. Note that this is not implemented for\n    captive portals yet.\n  * Lying resolvers are now skipped, instead of just printing an error.\n    This doesn't apply to captive portal and forwarding entries, which\n    are the only reasonable use case for lying resolvers.\n  * Support for XSalsa20 in DNSCrypt has been removed. This was not\n    documented, and was supserseded by XChaCha20 in 2016.\n  * Source files are now fetched with compression.\n  * DNS64: compatibility has been improved.\n  * Forwarding: the root domain (`.`) can now be forwarded.\n  * The ARC caching algorithm has been replaced by the SIEVE algorithm.\n  * Properties of multiple servers are now updated simultaneously. The\n    concurrency level can be adjusted with the new\n    `cert_refresh_concurrency` setting. Contributed by YX Hao.\n  * MSI packages for DNSCrypt can now easily be built.\n  * New command-line flag: `-include-relays` to include relays in `-list`\n    and `-list-all`.\n  * Support for DNS extended error codes has been added.\n  * Documentation updates, bug fixes, dependency updates.\n","modified":"2026-06-30T18:24:39.473423622Z","published":"2026-06-25T15:31:46Z","related":["CVE-2023-49295","CVE-2024-22189","CVE-2026-33186","CVE-2026-33814"],"upstream":["CVE-2023-49295","CVE-2024-22189","CVE-2026-33186","CVE-2026-33814"],"references":[{"type":"ADVISORY"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222473"},{"type":"REPORT","url":"https://bugzilla.suse.com/1235156"},{"type":"REPORT","url":"https://bugzilla.suse.com/1260280"},{"type":"REPORT","url":"https://bugzilla.suse.com/1265785"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-49295"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-22189"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-33186"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-33814"}],"affected":[{"package":{"name":"dnscrypt-proxy","ecosystem":"openSUSE:Leap 16.0","purl":"pkg:rpm/opensuse/dnscrypt-proxy&distro=openSUSE%20Leap%2016.0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.16-bp160.1.1"}]}],"ecosystem_specific":{"binaries":[{"dnscrypt-proxy":"2.1.16-bp160.1.1"}]},"database_specific":{"source":"https://ftp.suse.com/pub/projects/security/osv/openSUSE-RU-2026:21160-1.json"}}],"schema_version":"1.7.5"}