products/PackageHub
SHA256
31
1
Fork 14
Code Issues Pull Requests 15 Actions Activity

Pull request for security update for coredns #340

Manually merged
products merged 1 commits from rfrohl/PackageHub:maintenance-update-1768924179 into leap-16.0 2026-01-21 10:10:55 +01:00
Conversation 20 Commits 1 Files Changed 2 +223 -1
2 changed files with 223 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
coredns

Submodule coredns updated: c75b9e7492...8273aa64e4

222
patchinfo.20260120154940279982.93181000773252/_patchinfo Normal file
View File

@@ -0,0 +1,222 @@
<patchinfo>
<issue tracker="cve" id="2025-68156"/>
<issue tracker="cve" id="2025-68161"/>
<issue tracker="cve" id="2024-51744"/>
<issue tracker="bnc" id="1239728">VUL-0: CVE-2025-29786: coredns: github.com/expr-lang/expr: memory exhaustion when unbounded input string is processed by Expr expression parser</issue>
<issue tracker="bnc" id="1256411">VUL-0: CVE-2025-68151: coredns: coredns: lack of resource-limiting controls in multiple CoreDNS server implementations allows an unauthenticated remote attacker to exhaust memory and crash the server</issue>
<issue tracker="bnc" id="1239294">VUL-0: CVE-2025-22868: coredns: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2</issue>
<issue tracker="cve" id="2025-58063"/>
<issue tracker="bnc" id="1249389">VUL-0: CVE-2025-58063: coredns: CoreDNS Lease ID Confusion</issue>
<issue tracker="bnc" id="1255345">VUL-0: CVE-2025-68156: coredns: github.com/expr-lang/expr/builtin: uncontrolled recursion in expression evaluation can cause a denial of service</issue>
<packager>amanzini</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for coredns</summary>
<description>This update for coredns fixes the following issues:
Changes in coredns:
- fix CVE-2025-68156 bsc#1255345
- fix CVE-2025-68161 bsc#1256411
- Update to version 1.14.0:
* core: Fix gosec G115 integer overflow warnings
* core: Add regex length limit
* plugin/azure: Fix slice init length
* plugin/errors: Add optional show_first flag to consolidate directive
* plugin/file: Fix for misleading SOA parser warnings
* plugin/kubernetes: Rate limits to api server
* plugin/metrics: Implement plugin chain tracking
* plugin/sign: Report parser err before missing SOA
* build(deps): bump github.com/expr-lang/expr from 1.17.6 to 1.17.7
- Update to version 1.13.2:
* core: Add basic support for DoH3
* core: Avoid proxy unnecessary alloc in Yield
* core: Fix usage of sync.Pool to save an alloc
* core: Fix data race with sync.RWMutex for uniq
* core: Prevent QUIC reload panic by lazily initializing the listener
* core: Refactor/use reflect.TypeFor
* plugin/auto: Limit regex length
* plugin/cache: Remove superfluous allocations in item.toMsg
* plugin/cache: Isolate metadata in prefetch goroutine
* plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil
packages
* plugin/dnstap: Better error handling (redial &amp; logging) when Dnstap is busy
* plugin/file: Performance finetuning
* plugin/forward: Disallow NOERROR in failover
* plugin/forward: Added support for per-nameserver TLS SNI
* plugin/forward: Prevent busy loop on connection err
* plugin/forward: Add max connect attempts knob
* plugin/geoip: Add ASN schema support
* plugin/geoip: Add support for subdivisions
* plugin/kubernetes: Fix kubernetes plugin logging
* plugin/multisocket: Cap num sockets to prevent OOM
* plugin/nomad: Support service filtering
* plugin/rewrite: Pre-compile CNAME rewrite regexp
* plugin/secondary: Fix reload causing secondary plugin goroutine to leak
- Update to version 1.13.1:
* core: Avoid string concatenation in loops
* core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes
* plugin/sign: Reject invalid UTF8 dbfile token
- Update to version 1.13.0:
* core: Export timeout values in dnsserver.Server
* core: Fix Corefile infinite loop on unclosed braces
* core: Fix Corefile related import cycle issue
* core: Normalize panics on invalid origins
* core: Rely on dns.Server.ShutdownContext to gracefully stop
* plugin/dnstap: Add bounds for plugin args
* plugin/file: Fix data race in tree Elem.Name
* plugin/forward: No failover to next upstream when receiving SERVFAIL or
REFUSED response codes
* plugin/grpc: Enforce DNS message size limits
* plugin/loop: Prevent panic when ListenHosts is empty
* plugin/loop: Avoid panic on invalid server block
* plugin/nomad: Add a Nomad plugin
* plugin/reload: Prevent SIGTERM/reload deadlock
- fix CVE-2025-58063 bsc#1249389
- Update to version 1.12.4:
* bump deps
* fix(transfer): goroutine leak on axfr err (#7516)
* plugin/etcd: fix import order for ttl test (#7515)
* fix(grpc): check proxy list length in policies (#7512)
* fix(https): propagate HTTP request context (#7491)
* fix(plugin): guard nil lookups across plugins (#7494)
* lint: add missing prealloc to backend lookup test (#7510)
* fix(grpc): span leak on error attempt (#7487)
* test(plugin): improve backend lookup coverage (#7496)
* lint: enable prealloc (#7493)
* lint: enable durationcheck (#7492)
* Add Sophotech to adopters list (#7495)
* plugin: Use %w to wrap user error (#7489)
* fix(metrics): add timeouts to metrics HTTP server (#7469)
* chore(ci): restrict token permissions (#7470)
* chore(ci): pin workflow dependencies (#7471)
* fix(forward): use netip package for parsing (#7472)
* test(plugin): improve test coverage for pprof (#7473)
* build(deps): bump github.com/go-viper/mapstructure/v2 (#7468)
* plugin/file: fix label offset problem in ClosestEncloser (#7465)
* feat(trace): migrate dd-trace-go v1 to v2 (#7466)
* test(multisocket): deflake restart by using a fresh port and coordinated cleanup (#7438)
* chore: update Go version to 1.24.6 (#7437)
* plugin/header: Remove deprecated syntax (#7436)
* plugin/loadbalance: support prefer option (#7433)
* Improve caddy.GracefulServer conformance checks (#7416)
- Update to version 1.12.3:
* chore: Minor changes to `Dockerfile` (#7428)
* Properly create hostname from IPv6 (#7431)
* Bump deps
* fix: handle cached connection closure in forward plugin (#7427)
* plugin/test: fix TXT record comparison for multi-chunk vs multiple records
* plugin/file: preserve case in SRV record names and targets per RFC 6763
* fix(auto/file): return REFUSED when no next plugin is available (#7381)
* Port to AWS Go SDK v2 (#6588)
* fix(cache): data race when refreshing cached messages (#7398)
* fix(cache): data race when updating the TTL of cached messages (#7397)
* chore: fix docs incompatibility (#7390)
* plugin/rewrite: Add EDNS0 Unset Action (#7380)
* add args: startup_timeout for kubernetes plugin (#7068)
* [plugin/cache] create a copy of a response to ensure original data is never
modified
* Add support for fallthrough to the grpc plugin (#7359)
* view: Add IPv6 example match (#7355)
* chore: enable more rules from revive (#7352)
* chore: enable early-return and superfluous-else from revive (#7129)
* test(plugin): improve tests for auto (#7348)
* fix(proxy): flaky dial tests (#7349)
* test: add t.Helper() calls to test helper functions (#7351)
* fix(kubernetes): multicluster DNS race condition (#7350)
* lint: enable wastedassign linter (#7340)
* test(plugin): add tests for any (#7341)
* Actually invoke make release -f Makefile.release during test (#7338)
* Keep golang to 1.24.2 due to build issues in 1.24.3 (#7337)
* lint: enable protogetter linter (#7336)
* lint: enable nolintlint linter (#7332)
* fix: missing intrange lint fix (#7333)
* perf(kubernetes): optimize AutoPath slice allocation (#7323)
* lint: enable intrange linter (#7331)
* feat(plugin/file): fallthrough (#7327)
* lint: enable canonicalheader linter (#7330)
* fix(proxy): avoid Dial hang after Transport stopped (#7321)
* test(plugin): add tests for pkg/rand (#7320)
* test(dnsserver): add unit tests for gRPC and QUIC servers (#7319)
* fix: loop variable capture and linter (#7328)
* lint: enable usetesting linter (#7322)
* test: skip certain network-specific tests on non-Linux (#7318)
* test(dnsserver): improve core/dnsserver test coverage (#7317)
* fix(metrics): preserve request size from plugins (#7313)
* fix: ensure DNS query name reset in plugin.NS error path (#7142)
* feat: enable plugins via environment during build (#7310)
* fix(plugin/bind): remove zone for link-local IPv4 (#7295)
* test(request): improve coverage across package (#7307)
* test(coremain): Add unit tests (#7308)
* ci(test-e2e): add Go version setup to workflow (#7309)
* kubernetes: add multicluster support (#7266)
* chore: Add new maintainer thevilledev (#7298)
* Update golangci-lint (#7294)
* feat: limit concurrent DoQ streams and goroutines (#7296)
* docs: add man page for multisocket plugin (#7297)
* Prepare for the k8s api upgrade (#7293)
* fix(rewrite): truncated upstream response (#7277)
* fix(plugin/secondary): make transfer property mandatory (#7249)
* plugin/bind: remove macOS bug mention in docs (#7250)
* Remove `?bla=foo:443` for `POST` DoH (#7257)
* Do not interrupt querying readiness probes for plugins (#6975)
* Added `SetProxyOptions` function for `forward` plugin (#7229)
- Backported quic-go PR #5094: Fix parsing of ifindex from packets
to ensure compatibility with big-endian architectures
(see quic-go/quic-go#4978, coredns/coredns#6682).
- Update to version 1.12.1:
* core: Increase CNAME lookup limit from 7 to 10 (#7153)
* plugin/kubernetes: Fix handling of pods having DeletionTimestamp set
* plugin/kubernetes: Revert "only create PTR records for endpoints with
hostname defined"
* plugin/forward: added option failfast_all_unhealthy_upstreams to return
servfail if all upstreams are down
* bump dependencies, fixing bsc#1239294 and bsc#1239728
- Update to version 1.12.0:
* New multisocket plugin - allows CoreDNS to listen on multiple sockets
* bump deps
- Update to version 1.11.4:
* forward plugin: new option next, to try alternate upstreams when receiving
specified response codes upstreams on (functions like the external plugin
alternate)
* dnssec plugin: new option to load keys from AWS Secrets Manager
* rewrite plugin: new option to revert EDNS0 option rewrites in responses
- Update to version 1.11.3+git129.387f34d:
* fix CVE-2024-51744 (https://bugzilla.suse.com/show_bug.cgi?id=1232991)
build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#6955)
* core: set cache-control max-age as integer, not float (#6764)
* Issue-6671: Fixed the order of plugins. (#6729)
* `root`: explicit mark `dnssec` support (#6753)
* feat: dnssec load keys from AWS Secrets Manager (#6618)
* fuzzing: fix broken oss-fuzz build (#6880)
* Replace k8s.io/utils/strings/slices by Go stdlib slices (#6863)
* Update .go-version to 1.23.2 (#6920)
* plugin/rewrite: Add "revert" parameter for EDNS0 options (#6893)
* Added OpenSSF Scorecard Badge (#6738)
* fix(cwd): Restored backwards compatibility of Current Workdir (#6731)
* fix: plugin/auto: call OnShutdown() for each zone at its own OnShutdown() (#6705)
* feature: log queue and buffer memory size configuration (#6591)
* plugin/bind: add zone for link-local IPv6 instead of skipping (#6547)
* only create PTR records for endpoints with hostname defined (#6898)
* fix: reverter should execute the reversion in reversed order (#6872)
* plugin/etcd: fix etcd connection leakage when reload (#6646)
* kubernetes: Add useragent (#6484)
* Update build (#6836)
* Update grpc library use (#6826)
* Bump go version from 1.21.11 to 1.21.12 (#6800)
* Upgrade antonmedv/expr to expr-lang/expr (#6814)
* hosts: add hostsfile as label for coredns_hosts_entries (#6801)
* fix TestCorefile1 panic for nil handling (#6802)
</description>
<package>coredns</package>
</patchinfo>