SUSE alert openSUSE-SU-2026:0032-1 (coredns)
| From: | maintenance@opensuse.org | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:0032-1: important: Security update for coredns | |
| Date: | Fri, 30 Jan 2026 12:04:47 +0100 | |
| Message-ID: | <20260130110447.1C5B9FD85@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE Security Update: Security update for coredns ______________________________________________________________________________ Announcement ID: openSUSE-SU-2026:0032-1 Rating: important References: #1255345 Cross-References: CVE-2025-61726 CVE-2025-61728 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121 CVE-2025-68156 CVSS scores: CVE-2025-61726 (SUSE): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-61728 (SUSE): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-61731 (SUSE): 7.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-68119 (SUSE): 7.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-68121 (SUSE): 7.6 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2025-68156 (SUSE): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Backports SLE-15-SP7 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for coredns fixes the following issues: - Update to version 1.14.1: * This release primarily addresses security vulnerabilities affecting Go versions prior to Go 1.25.6 and Go 1.24.12 (CVE-2025-61728, CVE-2025-61726, CVE-2025-68121, CVE-2025-61731, CVE-2025-68119). It also includes performance improvements to the proxy plugin via multiplexed connections, along with various documentation updates. - CVE-2025-68156: Fixed a denial of service due to uncontrolled recursion in expression evaluation (bsc#1255345) - Update to version 1.14.0: * core: Fix gosec G115 integer overflow warnings * core: Add regex length limit * plugin/azure: Fix slice init length * plugin/errors: Add optional show_first flag to consolidate directive * plugin/file: Fix for misleading SOA parser warnings * plugin/kubernetes: Rate limits to api server * plugin/metrics: Implement plugin chain tracking * plugin/sign: Report parser err before missing SOA * build(deps): bump github.com/expr-lang/expr from 1.17.6 to 1.17.7 - Update to version 1.13.2: * core: Add basic support for DoH3 * core: Avoid proxy unnecessary alloc in Yield * core: Fix usage of sync.Pool to save an alloc * core: Fix data race with sync.RWMutex for uniq * core: Prevent QUIC reload panic by lazily initializing the listener * core: Refactor/use reflect.TypeFor * plugin/auto: Limit regex length * plugin/cache: Remove superfluous allocations in item.toMsg * plugin/cache: Isolate metadata in prefetch goroutine * plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil packages * plugin/dnstap: Better error handling (redial & logging) when Dnstap is busy * plugin/file: Performance finetuning * plugin/forward: Disallow NOERROR in failover * plugin/forward: Added support for per-nameserver TLS SNI * plugin/forward: Prevent busy loop on connection err * plugin/forward: Add max connect attempts knob * plugin/geoip: Add ASN schema support * plugin/geoip: Add support for subdivisions * plugin/kubernetes: Fix kubernetes plugin logging * plugin/multisocket: Cap num sockets to prevent OOM * plugin/nomad: Support service filtering * plugin/rewrite: Pre-compile CNAME rewrite regexp * plugin/secondary: Fix reload causing secondary plugin goroutine to leak - Update to version 1.13.1: * core: Avoid string concatenation in loops * core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes * plugin/sign: Reject invalid UTF‑8 dbfile token - Update to version 1.13.0: * core: Export timeout values in dnsserver.Server * core: Fix Corefile infinite loop on unclosed braces * core: Fix Corefile related import cycle issue * core: Normalize panics on invalid origins * core: Rely on dns.Server.ShutdownContext to gracefully stop * plugin/dnstap: Add bounds for plugin args * plugin/file: Fix data race in tree Elem.Name * plugin/forward: No failover to next upstream when receiving SERVFAIL or REFUSED response codes * plugin/grpc: Enforce DNS message size limits * plugin/loop: Prevent panic when ListenHosts is empty * plugin/loop: Avoid panic on invalid server block * plugin/nomad: Add a Nomad plugin * plugin/reload: Prevent SIGTERM/reload deadlock Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP7: zypper in -t patch openSUSE-2026-32=1 Package List: - openSUSE Backports SLE-15-SP7 (aarch64 ppc64le x86_64): coredns-1.14.1-bp157.2.10.1 coredns-debuginfo-1.14.1-bp157.2.10.1 - openSUSE Backports SLE-15-SP7 (noarch): coredns-extras-1.14.1-bp157.2.10.1 References: https://www.suse.com/security/cve/CVE-2025-61726.html https://www.suse.com/security/cve/CVE-2025-61728.html https://www.suse.com/security/cve/CVE-2025-61731.html https://www.suse.com/security/cve/CVE-2025-68119.html https://www.suse.com/security/cve/CVE-2025-68121.html https://www.suse.com/security/cve/CVE-2025-68156.html https://bugzilla.suse.com/1255345