SUSE Package Hub - openSUSE-2026-79

Update Info

openSUSE-2026-79

Security update for coredns

Type: security

Severity: important

Issued: 2026-03-11

Description:

This update for coredns fixes the following issues:

Update to version 1.14.2:

- CVE-2026-26017: Fixed DNS access control bypass due to default execution
  order of plugins and TOCTOU flaw (bsc#1259320).
- CVE-2026-26018: Fixed denial of service in the loop detection plugin due to
  predictable PRNG combined with fatal error handler (bsc#1259319).

Update to version 1.14.1:

- This release primarily addresses security vulnerabilities affecting Go
  versions prior to Go 1.25.6 and Go 1.24.12 (CVE-2025-61728, CVE-2025-61726,
  CVE-2025-68121, CVE-2025-61731, CVE-2025-68119). 

- CVE-2025-68156: Fixed uncontrolled recursion in expression evaluation can
  cause a denial of service (bsc#1255345).

References

CVE: CVE-2026-26018
CVE: CVE-2026-26017
CVE: CVE-2025-68156
CVE: CVE-2025-68121
CVE: CVE-2025-68119
CVE: CVE-2025-61731
CVE: CVE-2025-61728
CVE: CVE-2025-61726
Bugzilla: 1259320 VUL-0: CVE-2026-26017: coredns: DNS access control bypass due to default execution order of plugins and TOCTOU flaw
Bugzilla: 1259319 VUL-0: CVE-2026-26018: coredns: denial of service in the loop detection plugin due to predictable PRNG combined with fatal error handler
Bugzilla: 1255345 VUL-0: CVE-2025-68156: coredns: github.com/expr-lang/expr/builtin: uncontrolled recursion in expression evaluation can cause a denial of service

Packages

coredns-1.14.2-bp156.4.16.1