diff --git a/coredns b/coredns index c75b9e7..8273aa6 160000 --- a/coredns +++ b/coredns @@ -1 +1 @@ -Subproject commit c75b9e7492018b875ac4e5cd272c3439399f31f7c7f5c4251266f73f3d757dd6 +Subproject commit 8273aa64e4b861649bfe5131d494f3071cdeabcd0f155e04e24296b97c8b059c diff --git a/patchinfo.20260120154940279982.93181000773252/_patchinfo b/patchinfo.20260120154940279982.93181000773252/_patchinfo new file mode 100644 index 0000000..950d0e9 --- /dev/null +++ b/patchinfo.20260120154940279982.93181000773252/_patchinfo @@ -0,0 +1,222 @@ + + + + + VUL-0: CVE-2025-29786: coredns: github.com/expr-lang/expr: memory exhaustion when unbounded input string is processed by Expr expression parser + VUL-0: CVE-2025-68151: coredns: coredns: lack of resource-limiting controls in multiple CoreDNS server implementations allows an unauthenticated remote attacker to exhaust memory and crash the server + VUL-0: CVE-2025-22868: coredns: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 + + VUL-0: CVE-2025-58063: coredns: CoreDNS Lease ID Confusion + VUL-0: CVE-2025-68156: coredns: github.com/expr-lang/expr/builtin: uncontrolled recursion in expression evaluation can cause a denial of service + amanzini + important + security + Security update for coredns + This update for coredns fixes the following issues: + +Changes in coredns: + +- fix CVE-2025-68156 bsc#1255345 +- fix CVE-2025-68161 bsc#1256411 +- Update to version 1.14.0: + * core: Fix gosec G115 integer overflow warnings + * core: Add regex length limit + * plugin/azure: Fix slice init length + * plugin/errors: Add optional show_first flag to consolidate directive + * plugin/file: Fix for misleading SOA parser warnings + * plugin/kubernetes: Rate limits to api server + * plugin/metrics: Implement plugin chain tracking + * plugin/sign: Report parser err before missing SOA + * build(deps): bump github.com/expr-lang/expr from 1.17.6 to 1.17.7 + +- Update to version 1.13.2: + * core: Add basic support for DoH3 + * core: Avoid proxy unnecessary alloc in Yield + * core: Fix usage of sync.Pool to save an alloc + * core: Fix data race with sync.RWMutex for uniq + * core: Prevent QUIC reload panic by lazily initializing the listener + * core: Refactor/use reflect.TypeFor + * plugin/auto: Limit regex length + * plugin/cache: Remove superfluous allocations in item.toMsg + * plugin/cache: Isolate metadata in prefetch goroutine + * plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil + packages + * plugin/dnstap: Better error handling (redial & logging) when Dnstap is busy + * plugin/file: Performance finetuning + * plugin/forward: Disallow NOERROR in failover + * plugin/forward: Added support for per-nameserver TLS SNI + * plugin/forward: Prevent busy loop on connection err + * plugin/forward: Add max connect attempts knob + * plugin/geoip: Add ASN schema support + * plugin/geoip: Add support for subdivisions + * plugin/kubernetes: Fix kubernetes plugin logging + * plugin/multisocket: Cap num sockets to prevent OOM + * plugin/nomad: Support service filtering + * plugin/rewrite: Pre-compile CNAME rewrite regexp + * plugin/secondary: Fix reload causing secondary plugin goroutine to leak + +- Update to version 1.13.1: + * core: Avoid string concatenation in loops + * core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes + * plugin/sign: Reject invalid UTF‑8 dbfile token + +- Update to version 1.13.0: + * core: Export timeout values in dnsserver.Server + * core: Fix Corefile infinite loop on unclosed braces + * core: Fix Corefile related import cycle issue + * core: Normalize panics on invalid origins + * core: Rely on dns.Server.ShutdownContext to gracefully stop + * plugin/dnstap: Add bounds for plugin args + * plugin/file: Fix data race in tree Elem.Name + * plugin/forward: No failover to next upstream when receiving SERVFAIL or + REFUSED response codes + * plugin/grpc: Enforce DNS message size limits + * plugin/loop: Prevent panic when ListenHosts is empty + * plugin/loop: Avoid panic on invalid server block + * plugin/nomad: Add a Nomad plugin + * plugin/reload: Prevent SIGTERM/reload deadlock + +- fix CVE-2025-58063 bsc#1249389 +- Update to version 1.12.4: + * bump deps + * fix(transfer): goroutine leak on axfr err (#7516) + * plugin/etcd: fix import order for ttl test (#7515) + * fix(grpc): check proxy list length in policies (#7512) + * fix(https): propagate HTTP request context (#7491) + * fix(plugin): guard nil lookups across plugins (#7494) + * lint: add missing prealloc to backend lookup test (#7510) + * fix(grpc): span leak on error attempt (#7487) + * test(plugin): improve backend lookup coverage (#7496) + * lint: enable prealloc (#7493) + * lint: enable durationcheck (#7492) + * Add Sophotech to adopters list (#7495) + * plugin: Use %w to wrap user error (#7489) + * fix(metrics): add timeouts to metrics HTTP server (#7469) + * chore(ci): restrict token permissions (#7470) + * chore(ci): pin workflow dependencies (#7471) + * fix(forward): use netip package for parsing (#7472) + * test(plugin): improve test coverage for pprof (#7473) + * build(deps): bump github.com/go-viper/mapstructure/v2 (#7468) + * plugin/file: fix label offset problem in ClosestEncloser (#7465) + * feat(trace): migrate dd-trace-go v1 to v2 (#7466) + * test(multisocket): deflake restart by using a fresh port and coordinated cleanup (#7438) + * chore: update Go version to 1.24.6 (#7437) + * plugin/header: Remove deprecated syntax (#7436) + * plugin/loadbalance: support prefer option (#7433) + * Improve caddy.GracefulServer conformance checks (#7416) + +- Update to version 1.12.3: + * chore: Minor changes to `Dockerfile` (#7428) + * Properly create hostname from IPv6 (#7431) + * Bump deps + * fix: handle cached connection closure in forward plugin (#7427) + * plugin/test: fix TXT record comparison for multi-chunk vs multiple records + * plugin/file: preserve case in SRV record names and targets per RFC 6763 + * fix(auto/file): return REFUSED when no next plugin is available (#7381) + * Port to AWS Go SDK v2 (#6588) + * fix(cache): data race when refreshing cached messages (#7398) + * fix(cache): data race when updating the TTL of cached messages (#7397) + * chore: fix docs incompatibility (#7390) + * plugin/rewrite: Add EDNS0 Unset Action (#7380) + * add args: startup_timeout for kubernetes plugin (#7068) + * [plugin/cache] create a copy of a response to ensure original data is never + modified + * Add support for fallthrough to the grpc plugin (#7359) + * view: Add IPv6 example match (#7355) + * chore: enable more rules from revive (#7352) + * chore: enable early-return and superfluous-else from revive (#7129) + * test(plugin): improve tests for auto (#7348) + * fix(proxy): flaky dial tests (#7349) + * test: add t.Helper() calls to test helper functions (#7351) + * fix(kubernetes): multicluster DNS race condition (#7350) + * lint: enable wastedassign linter (#7340) + * test(plugin): add tests for any (#7341) + * Actually invoke make release -f Makefile.release during test (#7338) + * Keep golang to 1.24.2 due to build issues in 1.24.3 (#7337) + * lint: enable protogetter linter (#7336) + * lint: enable nolintlint linter (#7332) + * fix: missing intrange lint fix (#7333) + * perf(kubernetes): optimize AutoPath slice allocation (#7323) + * lint: enable intrange linter (#7331) + * feat(plugin/file): fallthrough (#7327) + * lint: enable canonicalheader linter (#7330) + * fix(proxy): avoid Dial hang after Transport stopped (#7321) + * test(plugin): add tests for pkg/rand (#7320) + * test(dnsserver): add unit tests for gRPC and QUIC servers (#7319) + * fix: loop variable capture and linter (#7328) + * lint: enable usetesting linter (#7322) + * test: skip certain network-specific tests on non-Linux (#7318) + * test(dnsserver): improve core/dnsserver test coverage (#7317) + * fix(metrics): preserve request size from plugins (#7313) + * fix: ensure DNS query name reset in plugin.NS error path (#7142) + * feat: enable plugins via environment during build (#7310) + * fix(plugin/bind): remove zone for link-local IPv4 (#7295) + * test(request): improve coverage across package (#7307) + * test(coremain): Add unit tests (#7308) + * ci(test-e2e): add Go version setup to workflow (#7309) + * kubernetes: add multicluster support (#7266) + * chore: Add new maintainer thevilledev (#7298) + * Update golangci-lint (#7294) + * feat: limit concurrent DoQ streams and goroutines (#7296) + * docs: add man page for multisocket plugin (#7297) + * Prepare for the k8s api upgrade (#7293) + * fix(rewrite): truncated upstream response (#7277) + * fix(plugin/secondary): make transfer property mandatory (#7249) + * plugin/bind: remove macOS bug mention in docs (#7250) + * Remove `?bla=foo:443` for `POST` DoH (#7257) + * Do not interrupt querying readiness probes for plugins (#6975) + * Added `SetProxyOptions` function for `forward` plugin (#7229) + +- Backported quic-go PR #5094: Fix parsing of ifindex from packets + to ensure compatibility with big-endian architectures + (see quic-go/quic-go#4978, coredns/coredns#6682). + +- Update to version 1.12.1: + * core: Increase CNAME lookup limit from 7 to 10 (#7153) + * plugin/kubernetes: Fix handling of pods having DeletionTimestamp set + * plugin/kubernetes: Revert "only create PTR records for endpoints with + hostname defined" + * plugin/forward: added option failfast_all_unhealthy_upstreams to return + servfail if all upstreams are down + * bump dependencies, fixing bsc#1239294 and bsc#1239728 + +- Update to version 1.12.0: + * New multisocket plugin - allows CoreDNS to listen on multiple sockets + * bump deps + +- Update to version 1.11.4: + * forward plugin: new option next, to try alternate upstreams when receiving + specified response codes upstreams on (functions like the external plugin + alternate) + * dnssec plugin: new option to load keys from AWS Secrets Manager + * rewrite plugin: new option to revert EDNS0 option rewrites in responses + +- Update to version 1.11.3+git129.387f34d: + * fix CVE-2024-51744 (https://bugzilla.suse.com/show_bug.cgi?id=1232991) + build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#6955) + * core: set cache-control max-age as integer, not float (#6764) + * Issue-6671: Fixed the order of plugins. (#6729) + * `root`: explicit mark `dnssec` support (#6753) + * feat: dnssec load keys from AWS Secrets Manager (#6618) + * fuzzing: fix broken oss-fuzz build (#6880) + * Replace k8s.io/utils/strings/slices by Go stdlib slices (#6863) + * Update .go-version to 1.23.2 (#6920) + * plugin/rewrite: Add "revert" parameter for EDNS0 options (#6893) + * Added OpenSSF Scorecard Badge (#6738) + * fix(cwd): Restored backwards compatibility of Current Workdir (#6731) + * fix: plugin/auto: call OnShutdown() for each zone at its own OnShutdown() (#6705) + * feature: log queue and buffer memory size configuration (#6591) + * plugin/bind: add zone for link-local IPv6 instead of skipping (#6547) + * only create PTR records for endpoints with hostname defined (#6898) + * fix: reverter should execute the reversion in reversed order (#6872) + * plugin/etcd: fix etcd connection leakage when reload (#6646) + * kubernetes: Add useragent (#6484) + * Update build (#6836) + * Update grpc library use (#6826) + * Bump go version from 1.21.11 to 1.21.12 (#6800) + * Upgrade antonmedv/expr to expr-lang/expr (#6814) + * hosts: add hostsfile as label for coredns_hosts_entries (#6801) + * fix TestCorefile1 panic for nil handling (#6802) + + coredns +