openSUSE-SU-2024:0319-1: moderate: Security update for coredns

27 Sep 2024

      openSUSE Security Update: Security update for coredns
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2024:0319-1
Rating:             moderate
References:         
Cross-References:   CVE-2022-27191 CVE-2022-28948 CVE-2023-28452
                    CVE-2023-30464 CVE-2024-0874 CVE-2024-22189

CVSS scores:
                    CVE-2022-27191 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-28948 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2024-22189 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP6
______________________________________________________________________________

   An update that fixes 6 vulnerabilities is now available.

Description:

   This update for coredns fixes the following issues:

   Update to version 1.11.3:

     * optimize the performance for high qps (#6767)
     * bump deps
     * Fix zone parser error handling (#6680)
     * Add alternate option to forward plugin (#6681)
     * fix: plugin/file: return error when parsing the file fails (#6699)
     * [fix:documentation] Clarify autopath README (#6750)
     * Fix outdated test (#6747)
     * Bump go version from 1.21.8 to 1.21.11 (#6755)
     * Generate zplugin.go correctly with third-party plugins (#6692)
     * dnstap: uses pointer receiver for small response writer (#6644)
     * chore: fix function name in comment (#6608)
     * [plugin/forward] Strip local zone from IPV6 nameservers (#6635)
   - fixes CVE-2023-30464
   - fixes CVE-2023-28452

   Update to upstream head (git commit #5a52707):

     * bump deps to address security issue CVE-2024-22189
     * Return RcodeServerFailure when DNS64 has no next plugin (#6590)
     * add plusserver to adopters (#6565)
     * Change the log flags to be a variable that can be set prior to calling
       Run (#6546)
     * Enable Prometheus native histograms (#6524)
     * forward: respect context (#6483)
     * add client labels to k8s plugin metadata (#6475)
     * fix broken link in webpage (#6488)
     * Repo controlled Go version (#6526)
     * removed the mutex locks with atomic bool (#6525)

   Update to version 1.11.2:

     * rewrite: fix multi request concurrency issue in cname rewrite  (#6407)
     * plugin/tls: respect the path specified by root plugin (#6138)
     * plugin/auto: warn when auto is unable to read elements of the
       directory tree (#6333)
     * fix: make the codeowners link relative (#6397)
     * plugin/etcd: the etcd client adds the DialKeepAliveTime parameter
       (#6351)
     * plugin/cache: key cache on Checking Disabled (CD) bit (#6354)
     * Use the correct root domain name in the proxy plugin's TestHealthX
       tests (#6395)
     * Add PITS Global Data Recovery Services as an adopter (#6304)
     * Handle UDP responses that overflow with TC bit with test case (#6277)
     * plugin/rewrite: add rcode as a rewrite option (#6204)

   - CVE-2024-0874: coredns: CD bit response is cached and served later

   - Update to version 1.11.1:

     * Revert “plugin/forward: Continue waiting after receiving malformed
       responses
     * plugin/dnstap: add support for “extra” field in payload
     * plugin/cache: fix keepttl parsing

   - Update to version 1.11.0:

     * Adds support for accepting DNS connections over QUIC (doq).
     * Adds CNAME target rewrites to the rewrite plugin.
     * Plus many bug fixes, and some security improvements.
     * This release introduces the following backward incompatible changes:
      + In the kubernetes plugin, we have dropped support for watching
        Endpoint and Endpointslice v1beta, since all supported K8s versions
        now use Endpointslice.
      + The bufsize plugin changed its default size limit value to 1232
      + Some changes to forward plugin metrics.

   - Update to version 1.10.1:

     * Corrected architecture labels in multi-arch image manifest
     * A new plugin timeouts that allows configuration of server listener
       timeout durations
     * acl can drop queries as an action
     * template supports creating responses with extended DNS errors
     * New weighted policy in loadbalance
     * Option to serve original record TTLs from cache

   - Update to version 1.10.0:

   	* core: add log listeners for k8s_event plugin (#5451)
   	* core: log DoH HTTP server error logs in CoreDNS format (#5457)
   	* core: warn when domain names are not in RFC1035 preferred syntax (#5414)
   	* plugin/acl: add support for extended DNS errors (#5532)
   	* plugin/bufsize: do not expand query UDP buffer size if already set to a
      smaller value (#5602)
   	* plugin/cache: add cache disable option (#5540)
   	* plugin/cache: add metadata for wildcard record responses (#5308)
   	* plugin/cache: add option to adjust SERVFAIL response cache TTL (#5320)
   	* plugin/cache: correct responses to Authenticated Data requests (#5191)
   	* plugin/dnstap: add identity and version support for the dnstap plugin
      (#5555)
   	* plugin/file: add metadata for wildcard record responses (#5308)
   	* plugin/forward: enable multiple forward declarations (#5127)
   	* plugin/forward: health_check needs to normalize a specified domain name
      (#5543)
   	* plugin/forward: remove unused coredns_forward_sockets_open metric
      (#5431)
   	* plugin/header: add support for query modification (#5556)
   	* plugin/health: bypass proxy in self health check (#5401)
   	* plugin/health: don't go lameduck when reloading (#5472)
   	* plugin/k8s_external: add support for PTR requests (#5435)
   	* plugin/k8s_external: resolve headless services (#5505)
   	* plugin/kubernetes: make kubernetes client log in CoreDNS format (#5461)
   	* plugin/ready: reset list of readiness plugins on startup (#5492)
   	* plugin/rewrite: add PTR records to supported types (#5565)
   	* plugin/rewrite: fix a crash in rewrite plugin when rule type is missing
      (#5459)
   	* plugin/rewrite: fix out-of-index issue in rewrite plugin (#5462)
   	* plugin/rewrite: support min and max TTL values (#5508)
   	* plugin/trace : make zipkin HTTP reporter more configurable using
      Corefile (#5460)
   	* plugin/trace: read trace context info from headers for DOH (#5439)
   	* plugin/tsig: add new plugin TSIG for validating TSIG requests and
      signing responses (#4957)
   	* core: update gopkg.in/yaml.v3 to fix CVE-2022-28948
   	* core: update golang.org/x/crypto to fix CVE-2022-27191
   	* plugin/acl: adding a check to parse out zone info
   	* plugin/dnstap: support FQDN TCP endpoint
   	* plugin/errors: add stacktrace option to log a stacktrace during panic
      recovery
   	* plugin/template: return SERVFAIL for zone-match regex-no-match case

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP6:

      zypper in -t patch openSUSE-2024-319=1

Package List:

   - openSUSE Backports SLE-15-SP6 (aarch64 i586 x86_64):

      coredns-1.11.3-bp156.4.3.1

   - openSUSE Backports SLE-15-SP6 (noarch):

      coredns-extras-1.11.3-bp156.4.3.1

References:

   https://www.suse.com/security/cve/CVE-2022-27191.html
   https://www.suse.com/security/cve/CVE-2022-28948.html
   https://www.suse.com/security/cve/CVE-2023-28452.html
   https://www.suse.com/security/cve/CVE-2023-30464.html
   https://www.suse.com/security/cve/CVE-2024-0874.html
   https://www.suse.com/security/cve/CVE-2024-22189.html

opensuse-security＠opensuse.org

tags

participants (1)