Security update for coredns SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0319-1 Final 1 1 2024-09-27T14:01:32Z current 2024-09-27T14:01:32Z 2024-09-27T14:01:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for coredns This update for coredns fixes the following issues: Update to version 1.11.3: * optimize the performance for high qps (#6767) * bump deps * Fix zone parser error handling (#6680) * Add alternate option to forward plugin (#6681) * fix: plugin/file: return error when parsing the file fails (#6699) * [fix:documentation] Clarify autopath README (#6750) * Fix outdated test (#6747) * Bump go version from 1.21.8 to 1.21.11 (#6755) * Generate zplugin.go correctly with third-party plugins (#6692) * dnstap: uses pointer receiver for small response writer (#6644) * chore: fix function name in comment (#6608) * [plugin/forward] Strip local zone from IPV6 nameservers (#6635) - fixes CVE-2023-30464 - fixes CVE-2023-28452 Update to upstream head (git commit #5a52707): * bump deps to address security issue CVE-2024-22189 * Return RcodeServerFailure when DNS64 has no next plugin (#6590) * add plusserver to adopters (#6565) * Change the log flags to be a variable that can be set prior to calling Run (#6546) * Enable Prometheus native histograms (#6524) * forward: respect context (#6483) * add client labels to k8s plugin metadata (#6475) * fix broken link in webpage (#6488) * Repo controlled Go version (#6526) * removed the mutex locks with atomic bool (#6525) Update to version 1.11.2: * rewrite: fix multi request concurrency issue in cname rewrite (#6407) * plugin/tls: respect the path specified by root plugin (#6138) * plugin/auto: warn when auto is unable to read elements of the directory tree (#6333) * fix: make the codeowners link relative (#6397) * plugin/etcd: the etcd client adds the DialKeepAliveTime parameter (#6351) * plugin/cache: key cache on Checking Disabled (CD) bit (#6354) * Use the correct root domain name in the proxy plugin's TestHealthX tests (#6395) * Add PITS Global Data Recovery Services as an adopter (#6304) * Handle UDP responses that overflow with TC bit with test case (#6277) * plugin/rewrite: add rcode as a rewrite option (#6204) - CVE-2024-0874: coredns: CD bit response is cached and served later - Update to version 1.11.1: * Revert “plugin/forward: Continue waiting after receiving malformed responses * plugin/dnstap: add support for “extra” field in payload * plugin/cache: fix keepttl parsing - Update to version 1.11.0: * Adds support for accepting DNS connections over QUIC (doq). * Adds CNAME target rewrites to the rewrite plugin. * Plus many bug fixes, and some security improvements. * This release introduces the following backward incompatible changes: + In the kubernetes plugin, we have dropped support for watching Endpoint and Endpointslice v1beta, since all supported K8s versions now use Endpointslice. + The bufsize plugin changed its default size limit value to 1232 + Some changes to forward plugin metrics. - Update to version 1.10.1: * Corrected architecture labels in multi-arch image manifest * A new plugin timeouts that allows configuration of server listener timeout durations * acl can drop queries as an action * template supports creating responses with extended DNS errors * New weighted policy in loadbalance * Option to serve original record TTLs from cache - Update to version 1.10.0: * core: add log listeners for k8s_event plugin (#5451) * core: log DoH HTTP server error logs in CoreDNS format (#5457) * core: warn when domain names are not in RFC1035 preferred syntax (#5414) * plugin/acl: add support for extended DNS errors (#5532) * plugin/bufsize: do not expand query UDP buffer size if already set to a smaller value (#5602) * plugin/cache: add cache disable option (#5540) * plugin/cache: add metadata for wildcard record responses (#5308) * plugin/cache: add option to adjust SERVFAIL response cache TTL (#5320) * plugin/cache: correct responses to Authenticated Data requests (#5191) * plugin/dnstap: add identity and version support for the dnstap plugin (#5555) * plugin/file: add metadata for wildcard record responses (#5308) * plugin/forward: enable multiple forward declarations (#5127) * plugin/forward: health_check needs to normalize a specified domain name (#5543) * plugin/forward: remove unused coredns_forward_sockets_open metric (#5431) * plugin/header: add support for query modification (#5556) * plugin/health: bypass proxy in self health check (#5401) * plugin/health: don't go lameduck when reloading (#5472) * plugin/k8s_external: add support for PTR requests (#5435) * plugin/k8s_external: resolve headless services (#5505) * plugin/kubernetes: make kubernetes client log in CoreDNS format (#5461) * plugin/ready: reset list of readiness plugins on startup (#5492) * plugin/rewrite: add PTR records to supported types (#5565) * plugin/rewrite: fix a crash in rewrite plugin when rule type is missing (#5459) * plugin/rewrite: fix out-of-index issue in rewrite plugin (#5462) * plugin/rewrite: support min and max TTL values (#5508) * plugin/trace : make zipkin HTTP reporter more configurable using Corefile (#5460) * plugin/trace: read trace context info from headers for DOH (#5439) * plugin/tsig: add new plugin TSIG for validating TSIG requests and signing responses (#4957) * core: update gopkg.in/yaml.v3 to fix CVE-2022-28948 * core: update golang.org/x/crypto to fix CVE-2022-27191 * plugin/acl: adding a check to parse out zone info * plugin/dnstap: support FQDN TCP endpoint * plugin/errors: add stacktrace option to log a stacktrace during panic recovery * plugin/template: return SERVFAIL for zone-match regex-no-match case The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-319 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2JLUFKCHWHJJ2MQ6XRREF7D4OOWB23V2/ E-Mail link for openSUSE-SU-2024:0319-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-27191/ SUSE CVE CVE-2022-27191 page https://www.suse.com/security/cve/CVE-2022-28948/ SUSE CVE CVE-2022-28948 page https://www.suse.com/security/cve/CVE-2023-28452/ SUSE CVE CVE-2023-28452 page https://www.suse.com/security/cve/CVE-2023-30464/ SUSE CVE CVE-2023-30464 page https://www.suse.com/security/cve/CVE-2024-0874/ SUSE CVE CVE-2024-0874 page https://www.suse.com/security/cve/CVE-2024-22189/ SUSE CVE CVE-2024-22189 page SUSE Package Hub 15 SP6 openSUSE Leap 15.6 coredns-1.11.3-bp156.4.3.1 coredns-extras-1.11.3-bp156.4.3.1 coredns-1.11.3-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 coredns-extras-1.11.3-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 coredns-1.11.3-bp156.4.3.1 as a component of openSUSE Leap 15.6 coredns-extras-1.11.3-bp156.4.3.1 as a component of openSUSE Leap 15.6 The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. CVE-2022-27191 SUSE Package Hub 15 SP6:coredns-1.11.3-bp156.4.3.1 SUSE Package Hub 15 SP6:coredns-extras-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-extras-1.11.3-bp156.4.3.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2JLUFKCHWHJJ2MQ6XRREF7D4OOWB23V2/ https://www.suse.com/security/cve/CVE-2022-27191.html CVE-2022-27191 https://bugzilla.suse.com/1197284 SUSE Bug 1197284 An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. CVE-2022-28948 SUSE Package Hub 15 SP6:coredns-1.11.3-bp156.4.3.1 SUSE Package Hub 15 SP6:coredns-extras-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-extras-1.11.3-bp156.4.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2JLUFKCHWHJJ2MQ6XRREF7D4OOWB23V2/ https://www.suse.com/security/cve/CVE-2022-28948.html CVE-2022-28948 https://bugzilla.suse.com/1199772 SUSE Bug 1199772 An issue was discovered in CoreDNS through 1.10.1. There is a vulnerability in DNS resolving software, which triggers a resolver to ignore valid responses, thus causing denial of service for normal resolution. In an exploit, the attacker could just forge a response targeting the source port of a vulnerable resolver without the need to guess the correct TXID. CVE-2023-28452 SUSE Package Hub 15 SP6:coredns-1.11.3-bp156.4.3.1 SUSE Package Hub 15 SP6:coredns-extras-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-extras-1.11.3-bp156.4.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2JLUFKCHWHJJ2MQ6XRREF7D4OOWB23V2/ https://www.suse.com/security/cve/CVE-2023-28452.html CVE-2023-28452 https://bugzilla.suse.com/1230760 SUSE Bug 1230760 CoreDNS through 1.10.1 enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack. CVE-2023-30464 SUSE Package Hub 15 SP6:coredns-1.11.3-bp156.4.3.1 SUSE Package Hub 15 SP6:coredns-extras-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-extras-1.11.3-bp156.4.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2JLUFKCHWHJJ2MQ6XRREF7D4OOWB23V2/ https://www.suse.com/security/cve/CVE-2023-30464.html CVE-2023-30464 https://bugzilla.suse.com/1230757 SUSE Bug 1230757 A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching. CVE-2024-0874 SUSE Package Hub 15 SP6:coredns-1.11.3-bp156.4.3.1 SUSE Package Hub 15 SP6:coredns-extras-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-extras-1.11.3-bp156.4.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2JLUFKCHWHJJ2MQ6XRREF7D4OOWB23V2/ https://www.suse.com/security/cve/CVE-2024-0874.html CVE-2024-0874 https://bugzilla.suse.com/1219167 SUSE Bug 1219167 quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available. CVE-2024-22189 SUSE Package Hub 15 SP6:coredns-1.11.3-bp156.4.3.1 SUSE Package Hub 15 SP6:coredns-extras-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-1.11.3-bp156.4.3.1 openSUSE Leap 15.6:coredns-extras-1.11.3-bp156.4.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2JLUFKCHWHJJ2MQ6XRREF7D4OOWB23V2/ https://www.suse.com/security/cve/CVE-2024-22189.html CVE-2024-22189 https://bugzilla.suse.com/1222461 SUSE Bug 1222461