SUSE alert openSUSE-SU-2026:20099-1 (coredns)
| From: | null@suse.de | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:20099-1: important: Security update for coredns | |
| Date: | Sun, 25 Jan 2026 10:15:57 +0100 | |
| Message-ID: | <20260125091557.A2201FF0D@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE security update: security update for coredns ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20099-1 Rating: important References: * bsc#1239294 * bsc#1239728 * bsc#1249389 * bsc#1255345 * bsc#1256411 Cross-References: * CVE-2024-51744 * CVE-2025-58063 * CVE-2025-68156 * CVE-2025-68161 CVSS scores: * CVE-2024-51744 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N * CVE-2024-51744 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2025-58063 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L * CVE-2025-68156 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-68156 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-68161 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N * CVE-2025-68161 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 4 vulnerabilities and has 5 bug fixes can now be installed. Description: This update for coredns fixes the following issues: Changes in coredns: - fix CVE-2025-68156 bsc#1255345 - fix CVE-2025-68161 bsc#1256411 - Update to version 1.14.0: * core: Fix gosec G115 integer overflow warnings * core: Add regex length limit * plugin/azure: Fix slice init length * plugin/errors: Add optional show_first flag to consolidate directive * plugin/file: Fix for misleading SOA parser warnings * plugin/kubernetes: Rate limits to api server * plugin/metrics: Implement plugin chain tracking * plugin/sign: Report parser err before missing SOA * build(deps): bump github.com/expr-lang/expr from 1.17.6 to 1.17.7 - Update to version 1.13.2: * core: Add basic support for DoH3 * core: Avoid proxy unnecessary alloc in Yield * core: Fix usage of sync.Pool to save an alloc * core: Fix data race with sync.RWMutex for uniq * core: Prevent QUIC reload panic by lazily initializing the listener * core: Refactor/use reflect.TypeFor * plugin/auto: Limit regex length * plugin/cache: Remove superfluous allocations in item.toMsg * plugin/cache: Isolate metadata in prefetch goroutine * plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil packages * plugin/dnstap: Better error handling (redial & logging) when Dnstap is busy * plugin/file: Performance finetuning * plugin/forward: Disallow NOERROR in failover * plugin/forward: Added support for per-nameserver TLS SNI * plugin/forward: Prevent busy loop on connection err * plugin/forward: Add max connect attempts knob * plugin/geoip: Add ASN schema support * plugin/geoip: Add support for subdivisions * plugin/kubernetes: Fix kubernetes plugin logging * plugin/multisocket: Cap num sockets to prevent OOM * plugin/nomad: Support service filtering * plugin/rewrite: Pre-compile CNAME rewrite regexp * plugin/secondary: Fix reload causing secondary plugin goroutine to leak - Update to version 1.13.1: * core: Avoid string concatenation in loops * core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes * plugin/sign: Reject invalid UTF‑8 dbfile token - Update to version 1.13.0: * core: Export timeout values in dnsserver.Server * core: Fix Corefile infinite loop on unclosed braces * core: Fix Corefile related import cycle issue * core: Normalize panics on invalid origins * core: Rely on dns.Server.ShutdownContext to gracefully stop * plugin/dnstap: Add bounds for plugin args * plugin/file: Fix data race in tree Elem.Name * plugin/forward: No failover to next upstream when receiving SERVFAIL or REFUSED response codes * plugin/grpc: Enforce DNS message size limits * plugin/loop: Prevent panic when ListenHosts is empty * plugin/loop: Avoid panic on invalid server block * plugin/nomad: Add a Nomad plugin * plugin/reload: Prevent SIGTERM/reload deadlock - fix CVE-2025-58063 bsc#1249389 - Update to version 1.12.4: * bump deps * fix(transfer): goroutine leak on axfr err (#7516) * plugin/etcd: fix import order for ttl test (#7515) * fix(grpc): check proxy list length in policies (#7512) * fix(https): propagate HTTP request context (#7491) * fix(plugin): guard nil lookups across plugins (#7494) * lint: add missing prealloc to backend lookup test (#7510) * fix(grpc): span leak on error attempt (#7487) * test(plugin): improve backend lookup coverage (#7496) * lint: enable prealloc (#7493) * lint: enable durationcheck (#7492) * Add Sophotech to adopters list (#7495) * plugin: Use %w to wrap user error (#7489) * fix(metrics): add timeouts to metrics HTTP server (#7469) * chore(ci): restrict token permissions (#7470) * chore(ci): pin workflow dependencies (#7471) * fix(forward): use netip package for parsing (#7472) * test(plugin): improve test coverage for pprof (#7473) * build(deps): bump github.com/go-viper/mapstructure/v2 (#7468) * plugin/file: fix label offset problem in ClosestEncloser (#7465) * feat(trace): migrate dd-trace-go v1 to v2 (#7466) * test(multisocket): deflake restart by using a fresh port and coordinated cleanup (#7438) * chore: update Go version to 1.24.6 (#7437) * plugin/header: Remove deprecated syntax (#7436) * plugin/loadbalance: support prefer option (#7433) * Improve caddy.GracefulServer conformance checks (#7416) - Update to version 1.12.3: * chore: Minor changes to `Dockerfile` (#7428) * Properly create hostname from IPv6 (#7431) * Bump deps * fix: handle cached connection closure in forward plugin (#7427) * plugin/test: fix TXT record comparison for multi-chunk vs multiple records * plugin/file: preserve case in SRV record names and targets per RFC 6763 * fix(auto/file): return REFUSED when no next plugin is available (#7381) * Port to AWS Go SDK v2 (#6588) * fix(cache): data race when refreshing cached messages (#7398) * fix(cache): data race when updating the TTL of cached messages (#7397) * chore: fix docs incompatibility (#7390) * plugin/rewrite: Add EDNS0 Unset Action (#7380) * add args: startup_timeout for kubernetes plugin (#7068) * [plugin/cache] create a copy of a response to ensure original data is never modified * Add support for fallthrough to the grpc plugin (#7359) * view: Add IPv6 example match (#7355) * chore: enable more rules from revive (#7352) * chore: enable early-return and superfluous-else from revive (#7129) * test(plugin): improve tests for auto (#7348) * fix(proxy): flaky dial tests (#7349) * test: add t.Helper() calls to test helper functions (#7351) * fix(kubernetes): multicluster DNS race condition (#7350) * lint: enable wastedassign linter (#7340) * test(plugin): add tests for any (#7341) * Actually invoke make release -f Makefile.release during test (#7338) * Keep golang to 1.24.2 due to build issues in 1.24.3 (#7337) * lint: enable protogetter linter (#7336) * lint: enable nolintlint linter (#7332) * fix: missing intrange lint fix (#7333) * perf(kubernetes): optimize AutoPath slice allocation (#7323) * lint: enable intrange linter (#7331) * feat(plugin/file): fallthrough (#7327) * lint: enable canonicalheader linter (#7330) * fix(proxy): avoid Dial hang after Transport stopped (#7321) * test(plugin): add tests for pkg/rand (#7320) * test(dnsserver): add unit tests for gRPC and QUIC servers (#7319) * fix: loop variable capture and linter (#7328) * lint: enable usetesting linter (#7322) * test: skip certain network-specific tests on non-Linux (#7318) * test(dnsserver): improve core/dnsserver test coverage (#7317) * fix(metrics): preserve request size from plugins (#7313) * fix: ensure DNS query name reset in plugin.NS error path (#7142) * feat: enable plugins via environment during build (#7310) * fix(plugin/bind): remove zone for link-local IPv4 (#7295) * test(request): improve coverage across package (#7307) * test(coremain): Add unit tests (#7308) * ci(test-e2e): add Go version setup to workflow (#7309) * kubernetes: add multicluster support (#7266) * chore: Add new maintainer thevilledev (#7298) * Update golangci-lint (#7294) * feat: limit concurrent DoQ streams and goroutines (#7296) * docs: add man page for multisocket plugin (#7297) * Prepare for the k8s api upgrade (#7293) * fix(rewrite): truncated upstream response (#7277) * fix(plugin/secondary): make transfer property mandatory (#7249) * plugin/bind: remove macOS bug mention in docs (#7250) * Remove `?bla=foo:443` for `POST` DoH (#7257) * Do not interrupt querying readiness probes for plugins (#6975) * Added `SetProxyOptions` function for `forward` plugin (#7229) - Backported quic-go PR #5094: Fix parsing of ifindex from packets to ensure compatibility with big-endian architectures (see quic-go/quic-go#4978, coredns/coredns#6682). - Update to version 1.12.1: * core: Increase CNAME lookup limit from 7 to 10 (#7153) * plugin/kubernetes: Fix handling of pods having DeletionTimestamp set * plugin/kubernetes: Revert "only create PTR records for endpoints with hostname defined" * plugin/forward: added option failfast_all_unhealthy_upstreams to return servfail if all upstreams are down * bump dependencies, fixing bsc#1239294 and bsc#1239728 - Update to version 1.12.0: * New multisocket plugin - allows CoreDNS to listen on multiple sockets * bump deps - Update to version 1.11.4: * forward plugin: new option next, to try alternate upstreams when receiving specified response codes upstreams on (functions like the external plugin alternate) * dnssec plugin: new option to load keys from AWS Secrets Manager * rewrite plugin: new option to revert EDNS0 option rewrites in responses - Update to version 1.11.3+git129.387f34d: * fix CVE-2024-51744 (https://bugzilla.suse.com/show_bug.cgi?id=1232991) build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#6955) * core: set cache-control max-age as integer, not float (#6764) * Issue-6671: Fixed the order of plugins. (#6729) * `root`: explicit mark `dnssec` support (#6753) * feat: dnssec load keys from AWS Secrets Manager (#6618) * fuzzing: fix broken oss-fuzz build (#6880) * Replace k8s.io/utils/strings/slices by Go stdlib slices (#6863) * Update .go-version to 1.23.2 (#6920) * plugin/rewrite: Add "revert" parameter for EDNS0 options (#6893) * Added OpenSSF Scorecard Badge (#6738) * fix(cwd): Restored backwards compatibility of Current Workdir (#6731) * fix: plugin/auto: call OnShutdown() for each zone at its own OnShutdown() (#6705) * feature: log queue and buffer memory size configuration (#6591) * plugin/bind: add zone for link-local IPv6 instead of skipping (#6547) * only create PTR records for endpoints with hostname defined (#6898) * fix: reverter should execute the reversion in reversed order (#6872) * plugin/etcd: fix etcd connection leakage when reload (#6646) * kubernetes: Add useragent (#6484) * Update build (#6836) * Update grpc library use (#6826) * Bump go version from 1.21.11 to 1.21.12 (#6800) * Upgrade antonmedv/expr to expr-lang/expr (#6814) * hosts: add hostsfile as label for coredns_hosts_entries (#6801) * fix TestCorefile1 panic for nil handling (#6802) Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-packagehub-87=1 Package List: - openSUSE Leap 16.0: coredns-1.14.0-bp160.1.1 coredns-extras-1.14.0-bp160.1.1 References: * https://www.suse.com/security/cve/CVE-2024-51744.html * https://www.suse.com/security/cve/CVE-2025-58063.html * https://www.suse.com/security/cve/CVE-2025-68156.html * https://www.suse.com/security/cve/CVE-2025-68161.html