A flaw in systemd-resolved was found to incorrectly verify certificates of a DNS resolver used for DNS Over TLS when the DNSOverTLS option is set to yes
. A remote attacker in the network path between the vulnerable system and the DNS resolver may use this flaw to perform a man-in-the-middle attack and eavesdrop or modify DNS queries and responses. The attacker can learn the sites visited by a victim user, or redirect the victim user to malicious sites.