openSUSE Security Update: Security update for coredns
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2024:0319-1
Rating:             moderate
References:         
Cross-References:   CVE-2022-27191 CVE-2022-28948 CVE-2023-28452
                    CVE-2023-30464 CVE-2024-0874 CVE-2024-22189
                   
CVSS scores:
                    CVE-2022-27191 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-28948 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2024-22189 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP6
______________________________________________________________________________

   An update that fixes 6 vulnerabilities is now available.

Description:

   This update for coredns fixes the following issues:

   Update to version 1.11.3:

     * optimize the performance for high qps (#6767)
     * bump deps
     * Fix zone parser error handling (#6680)
     * Add alternate option to forward plugin (#6681)
     * fix: plugin/file: return error when parsing the file fails (#6699)
     * [fix:documentation] Clarify autopath README (#6750)
     * Fix outdated test (#6747)
     * Bump go version from 1.21.8 to 1.21.11 (#6755)
     * Generate zplugin.go correctly with third-party plugins (#6692)
     * dnstap: uses pointer receiver for small response writer (#6644)
     * chore: fix function name in comment (#6608)
     * [plugin/forward] Strip local zone from IPV6 nameservers (#6635)
   - fixes CVE-2023-30464
   - fixes CVE-2023-28452

   Update to upstream head (git commit #5a52707):

     * bump deps to address security issue CVE-2024-22189
     * Return RcodeServerFailure when DNS64 has no next plugin (#6590)
     * add plusserver to adopters (#6565)
     * Change the log flags to be a variable that can be set prior to calling
       Run (#6546)
     * Enable Prometheus native histograms (#6524)
     * forward: respect context (#6483)
     * add client labels to k8s plugin metadata (#6475)
     * fix broken link in webpage (#6488)
     * Repo controlled Go version (#6526)
     * removed the mutex locks with atomic bool (#6525)

   Update to version 1.11.2:

     * rewrite: fix multi request concurrency issue in cname rewrite  (#6407)
     * plugin/tls: respect the path specified by root plugin (#6138)
     * plugin/auto: warn when auto is unable to read elements of the
       directory tree (#6333)
     * fix: make the codeowners link relative (#6397)
     * plugin/etcd: the etcd client adds the DialKeepAliveTime parameter
       (#6351)
     * plugin/cache: key cache on Checking Disabled (CD) bit (#6354)
     * Use the correct root domain name in the proxy plugin's TestHealthX
       tests (#6395)
     * Add PITS Global Data Recovery Services as an adopter (#6304)
     * Handle UDP responses that overflow with TC bit with test case (#6277)
     * plugin/rewrite: add rcode as a rewrite option (#6204)

   - CVE-2024-0874: coredns: CD bit response is cached and served later

   - Update to version 1.11.1:

     * Revert “plugin/forward: Continue waiting after receiving malformed
       responses
     * plugin/dnstap: add support for “extra” field in payload
     * plugin/cache: fix keepttl parsing

   - Update to version 1.11.0:

     * Adds support for accepting DNS connections over QUIC (doq).
     * Adds CNAME target rewrites to the rewrite plugin.
     * Plus many bug fixes, and some security improvements.
     * This release introduces the following backward incompatible changes:
      + In the kubernetes plugin, we have dropped support for watching
        Endpoint and Endpointslice v1beta, since all supported K8s versions
        now use Endpointslice.
      + The bufsize plugin changed its default size limit value to 1232
      + Some changes to forward plugin metrics.

   - Update to version 1.10.1:

     * Corrected architecture labels in multi-arch image manifest
     * A new plugin timeouts that allows configuration of server listener
       timeout durations
     * acl can drop queries as an action
     * template supports creating responses with extended DNS errors
     * New weighted policy in loadbalance
     * Option to serve original record TTLs from cache

   - Update to version 1.10.0:

   	* core: add log listeners for k8s_event plugin (#5451)
   	* core: log DoH HTTP server error logs in CoreDNS format (#5457)
   	* core: warn when domain names are not in RFC1035 preferred syntax (#5414)
   	* plugin/acl: add support for extended DNS errors (#5532)
   	* plugin/bufsize: do not expand query UDP buffer size if already set to a
      smaller value (#5602)
   	* plugin/cache: add cache disable option (#5540)
   	* plugin/cache: add metadata for wildcard record responses (#5308)
   	* plugin/cache: add option to adjust SERVFAIL response cache TTL (#5320)
   	* plugin/cache: correct responses to Authenticated Data requests (#5191)
   	* plugin/dnstap: add identity and version support for the dnstap plugin
      (#5555)
   	* plugin/file: add metadata for wildcard record responses (#5308)
   	* plugin/forward: enable multiple forward declarations (#5127)
   	* plugin/forward: health_check needs to normalize a specified domain name
      (#5543)
   	* plugin/forward: remove unused coredns_forward_sockets_open metric
      (#5431)
   	* plugin/header: add support for query modification (#5556)
   	* plugin/health: bypass proxy in self health check (#5401)
   	* plugin/health: don't go lameduck when reloading (#5472)
   	* plugin/k8s_external: add support for PTR requests (#5435)
   	* plugin/k8s_external: resolve headless services (#5505)
   	* plugin/kubernetes: make kubernetes client log in CoreDNS format (#5461)
   	* plugin/ready: reset list of readiness plugins on startup (#5492)
   	* plugin/rewrite: add PTR records to supported types (#5565)
   	* plugin/rewrite: fix a crash in rewrite plugin when rule type is missing
      (#5459)
   	* plugin/rewrite: fix out-of-index issue in rewrite plugin (#5462)
   	* plugin/rewrite: support min and max TTL values (#5508)
   	* plugin/trace : make zipkin HTTP reporter more configurable using
      Corefile (#5460)
   	* plugin/trace: read trace context info from headers for DOH (#5439)
   	* plugin/tsig: add new plugin TSIG for validating TSIG requests and
      signing responses (#4957)
   	* core: update gopkg.in/yaml.v3 to fix CVE-2022-28948
   	* core: update golang.org/x/crypto to fix CVE-2022-27191
   	* plugin/acl: adding a check to parse out zone info
   	* plugin/dnstap: support FQDN TCP endpoint
   	* plugin/errors: add stacktrace option to log a stacktrace during panic
      recovery
   	* plugin/template: return SERVFAIL for zone-match regex-no-match case


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP6:

      zypper in -t patch openSUSE-2024-319=1



Package List:

   - openSUSE Backports SLE-15-SP6 (aarch64 i586 x86_64):

      coredns-1.11.3-bp156.4.3.1

   - openSUSE Backports SLE-15-SP6 (noarch):

      coredns-extras-1.11.3-bp156.4.3.1


References:

   https://www.suse.com/security/cve/CVE-2022-27191.html
   https://www.suse.com/security/cve/CVE-2022-28948.html
   https://www.suse.com/security/cve/CVE-2023-28452.html
   https://www.suse.com/security/cve/CVE-2023-30464.html
   https://www.suse.com/security/cve/CVE-2024-0874.html
   https://www.suse.com/security/cve/CVE-2024-22189.html

openSUSE: 2024:0319-1 moderate: coredns Advisory Security Update

September 27, 2024
An update that fixes 6 vulnerabilities is now available

Description

This update for coredns fixes the following issues: Update to version 1.11.3: * optimize the performance for high qps (#6767) * bump deps * Fix zone parser error handling (#6680) * Add alternate option to forward plugin (#6681) * fix: plugin/file: return error when parsing the file fails (#6699) * [fix:documentation] Clarify autopath README (#6750) * Fix outdated test (#6747) * Bump go version from 1.21.8 to 1.21.11 (#6755) * Generate zplugin.go correctly with third-party plugins (#6692) * dnstap: uses pointer receiver for small response writer (#6644) * chore: fix function name in comment (#6608) * [plugin/forward] Strip local zone from IPV6 nameservers (#6635) - fixes CVE-2023-30464 - fixes CVE-2023-28452 Update to upstream head (git commit #5a52707): * bump deps to address security issue CVE-2024-22189 * Return RcodeServerFailure when DNS64 has no next plugin (#6590) * add plusserver to adopters (#6565) * Change the log flags to be a variable that can be set prior to calling Run (#6546) * Enable Prometheus native histograms (#6524) * forward: respect context (#6483) * add client labels to k8s plugin metadata (#6475) * fix broken link in webpage (#6488) * Repo controlled Go version (#6526) * removed the mutex locks with atomic bool (#6525) Update to version 1.11.2: * rewrite: fix multi request concurrency issue in cname rewrite (#6407) * plugin/tls: respect the path specified by root plugin (#6138) * plugin/auto: warn when auto is unable to read elements of the directory tree (#6333) * fix: make the codeowners link relative (#6397) * plugin/etcd: the etcd client adds the DialKeepAliveTime parameter (#6351) * plugin/cache: key cache on Checking Disabled (CD) bit (#6354) * Use the correct root domain name in the proxy plugin's TestHealthX tests (#6395) * Add PITS Global Data Recovery Services as an adopter (#6304) * Handle UDP responses that overflow with TC bit with test case (#6277) * plugin/rewrite: add rcode as a rewrite option (#6204) - CVE-2024-0874: coredns: CD bit response is cached and served later - Update to version 1.11.1: * Revert “plugin/forward: Continue waiting after receiving malformed responses * plugin/dnstap: add support for “extra” field in payload * plugin/cache: fix keepttl parsing - Update to version 1.11.0: * Adds support for accepting DNS connections over QUIC (doq). * Adds CNAME target rewrites to the rewrite plugin. * Plus many bug fixes, and some security improvements. * This release introduces the following backward incompatible changes: + In the kubernetes plugin, we have dropped support for watching Endpoint and Endpointslice v1beta, since all supported K8s versions now use Endpointslice. + The bufsize plugin changed its default size limit value to 1232 + Some changes to forward plugin metrics. - Update to version 1.10.1: * Corrected architecture labels in multi-arch image manifest * A new plugin timeouts that allows configuration of server listener timeout durations * acl can drop queries as an action * template supports creating responses with extended DNS errors * New weighted policy in loadbalance * Option to serve original record TTLs from cache - Update to version 1.10.0: * core: add log listeners for k8s_event plugin (#5451) * core: log DoH HTTP server error logs in CoreDNS format (#5457) * core: warn when domain names are not in RFC1035 preferred syntax (#5414) * plugin/acl: add support for extended DNS errors (#5532) * plugin/bufsize: do not expand query UDP buffer size if already set to a smaller value (#5602) * plugin/cache: add cache disable option (#5540) * plugin/cache: add metadata for wildcard record responses (#5308) * plugin/cache: add option to adjust SERVFAIL response cache TTL (#5320) * plugin/cache: correct responses to Authenticated Data requests (#5191) * plugin/dnstap: add identity and version support for the dnstap plugin (#5555) * plugin/file: add metadata for wildcard record responses (#5308) * plugin/forward: enable multiple forward declarations (#5127) * plugin/forward: health_check needs to normalize a specified domain name (#5543) * plugin/forward: remove unused coredns_forward_sockets_open metric (#5431) * plugin/header: add support for query modification (#5556) * plugin/health: bypass proxy in self health check (#5401) * plugin/health: don't go lameduck when reloading (#5472) * plugin/k8s_external: add support for PTR requests (#5435) * plugin/k8s_external: resolve headless services (#5505) * plugin/kubernetes: make kubernetes client log in CoreDNS format (#5461) * plugin/ready: reset list of readiness plugins on startup (#5492) * plugin/rewrite: add PTR records to supported types (#5565) * plugin/rewrite: fix a crash in rewrite plugin when rule type is missing (#5459) * plugin/rewrite: fix out-of-index issue in rewrite plugin (#5462) * plugin/rewrite: support min and max TTL values (#5508) * plugin/trace : make zipkin HTTP reporter more configurable using Corefile (#5460) * plugin/trace: read trace context info from headers for DOH (#5439) * plugin/tsig: add new plugin TSIG for validating TSIG requests and signing responses (#4957) * core: update gopkg.in/yaml.v3 to fix CVE-2022-28948 * core: update golang.org/x/crypto to fix CVE-2022-27191 * plugin/acl: adding a check to parse out zone info * plugin/dnstap: support FQDN TCP endpoint * plugin/errors: add stacktrace option to log a stacktrace during panic recovery * plugin/template: return SERVFAIL for zone-match regex-no-match case

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2024-319=1


Package List

- openSUSE Backports SLE-15-SP6 (aarch64 i586 x86_64): coredns-1.11.3-bp156.4.3.1 - openSUSE Backports SLE-15-SP6 (noarch): coredns-extras-1.11.3-bp156.4.3.1


References

https://www.suse.com/security/cve/CVE-2022-27191.html https://www.suse.com/security/cve/CVE-2022-28948.html https://www.suse.com/security/cve/CVE-2023-28452.html https://www.suse.com/security/cve/CVE-2023-30464.html https://www.suse.com/security/cve/CVE-2024-0874.html https://www.suse.com/security/cve/CVE-2024-22189.html


Severity
Announcement ID: openSUSE-SU-2024:0319-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP6 .

Related News

Google Releases Chrome 130 with Critical Security Fixes for 17 Flaws
3 - 5 min read
Google recently unveiled Chrome 130 , an update that addresses several security vulnerabilities to ensure the web browser's safety and reliability.
U.S. Investigation into China-Backed Telecom Companies Hack: The Role & Risks of Encryption Backdoors
3 - 5 min read
U.S. authorities are on high alert as they investigate an alleged Chinese state-sponsored hack targeting major U.S. telecommunications companies.
FASTCash Linux Malware: A New Cybercrime Menace Targeting Payment Switch Systems
3 - 5 min read
As malware threats evolve to increasingly target Linux systems, admins and organizations must stay up-to-date on the latest Linux malware variants
Optimizing CWPP on Linux Servers: Best Practices and Configurations
3 - 6 min read
Cloud Workload Protection Platforms are now essential for securing virtual environments. These provide a robust security layer vital for addressing
The Infiltration of Supply Chain Attacks in Open-Source Software Management
3 - 6 min read
Open-source projects are renowned for their collaborative nature and widespread adoption, yet more sophisticated supply chain attacks target them
Strengthen Your Linux Software Development Pipeline with Code Security Scanners
3 - 6 min read
Developers recognize the critical nature of protecting software systems as cyberattacks grow more sophisticated, thus necessitating robust security
Everything You Need to Know About Cloud Security Posture Management
3 - 5 min read
Many companies are transitioning from physical servers to cloud operations, but this transformation brings new challenges. Cloud Security Posture
Understanding the Critical Oath-Toolkit Vulnerability and Its Implications for Admins
3 - 5 min read
As Linux security threats advance and evolve, vulnerabilities often surface unexpectedly, exposing systems to potential exploitation. SUSE

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved