{"affected":[{"ecosystem_specific":{"binaries":[{"coredns":"1.14.0-bp160.1.1","coredns-extras":"1.14.0-bp160.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"coredns","purl":"pkg:rpm/opensuse/coredns&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.14.0-bp160.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for coredns fixes the following issues:\n\nChanges in coredns:\n\n- fix CVE-2025-68156 bsc#1255345\n- fix CVE-2025-68161 bsc#1256411\n- Update to version 1.14.0:\n  * core: Fix gosec G115 integer overflow warnings\n  * core: Add regex length limit\n  * plugin/azure: Fix slice init length\n  * plugin/errors: Add optional show_first flag to consolidate directive\n  * plugin/file: Fix for misleading SOA parser warnings\n  * plugin/kubernetes: Rate limits to api server\n  * plugin/metrics: Implement plugin chain tracking\n  * plugin/sign: Report parser err before missing SOA\n  * build(deps): bump github.com/expr-lang/expr from 1.17.6 to 1.17.7\n\n- Update to version 1.13.2:\n  * core: Add basic support for DoH3\n  * core: Avoid proxy unnecessary alloc in Yield\n  * core: Fix usage of sync.Pool to save an alloc\n  * core: Fix data race with sync.RWMutex for uniq\n  * core: Prevent QUIC reload panic by lazily initializing the listener\n  * core: Refactor/use reflect.TypeFor\n  * plugin/auto: Limit regex length\n  * plugin/cache: Remove superfluous allocations in item.toMsg\n  * plugin/cache: Isolate metadata in prefetch goroutine\n  * plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil\n    packages\n  * plugin/dnstap: Better error handling (redial & logging) when Dnstap is busy\n  * plugin/file: Performance finetuning\n  * plugin/forward: Disallow NOERROR in failover\n  * plugin/forward: Added support for per-nameserver TLS SNI\n  * plugin/forward: Prevent busy loop on connection err\n  * plugin/forward: Add max connect attempts knob\n  * plugin/geoip: Add ASN schema support\n  * plugin/geoip: Add support for subdivisions\n  * plugin/kubernetes: Fix kubernetes plugin logging\n  * plugin/multisocket: Cap num sockets to prevent OOM\n  * plugin/nomad: Support service filtering\n  * plugin/rewrite: Pre-compile CNAME rewrite regexp\n  * plugin/secondary: Fix reload causing secondary plugin goroutine to leak\n\n- Update to version 1.13.1:\n  * core: Avoid string concatenation in loops\n  * core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes\n  * plugin/sign: Reject invalid UTF‑8 dbfile token\n\n- Update to version 1.13.0:\n  * core: Export timeout values in dnsserver.Server\n  * core: Fix Corefile infinite loop on unclosed braces\n  * core: Fix Corefile related import cycle issue\n  * core: Normalize panics on invalid origins\n  * core: Rely on dns.Server.ShutdownContext to gracefully stop\n  * plugin/dnstap: Add bounds for plugin args\n  * plugin/file: Fix data race in tree Elem.Name\n  * plugin/forward: No failover to next upstream when receiving SERVFAIL or\n    REFUSED response codes\n  * plugin/grpc: Enforce DNS message size limits\n  * plugin/loop: Prevent panic when ListenHosts is empty\n  * plugin/loop: Avoid panic on invalid server block\n  * plugin/nomad: Add a Nomad plugin\n  * plugin/reload: Prevent SIGTERM/reload deadlock\n\n- fix CVE-2025-58063 bsc#1249389\n- Update to version 1.12.4:\n  * bump deps\n  * fix(transfer): goroutine leak on axfr err (#7516)\n  * plugin/etcd: fix import order for ttl test (#7515)\n  * fix(grpc): check proxy list length in policies (#7512)\n  * fix(https): propagate HTTP request context (#7491)\n  * fix(plugin): guard nil lookups across plugins (#7494)\n  * lint: add missing prealloc to backend lookup test (#7510)\n  * fix(grpc): span leak on error attempt (#7487)\n  * test(plugin): improve backend lookup coverage (#7496)\n  * lint: enable prealloc (#7493)\n  * lint: enable durationcheck (#7492)\n  * Add Sophotech to adopters list (#7495)\n  * plugin: Use %w to wrap user error (#7489)\n  * fix(metrics): add timeouts to metrics HTTP server (#7469)\n  * chore(ci): restrict token permissions (#7470)\n  * chore(ci): pin workflow dependencies (#7471)\n  * fix(forward): use netip package for parsing (#7472)\n  * test(plugin): improve test coverage for pprof (#7473)\n  * build(deps): bump github.com/go-viper/mapstructure/v2 (#7468)\n  * plugin/file: fix label offset problem in ClosestEncloser (#7465)\n  * feat(trace): migrate dd-trace-go v1 to v2 (#7466)\n  * test(multisocket): deflake restart by using a fresh port and coordinated cleanup (#7438)\n  * chore: update Go version to 1.24.6 (#7437)\n  * plugin/header: Remove deprecated syntax (#7436)\n  * plugin/loadbalance: support prefer option (#7433)\n  * Improve caddy.GracefulServer conformance checks (#7416)\n\n- Update to version 1.12.3:\n  * chore: Minor changes to `Dockerfile` (#7428)\n  * Properly create hostname from IPv6 (#7431)\n  * Bump deps\n  * fix: handle cached connection closure in forward plugin (#7427)\n  * plugin/test: fix TXT record comparison for multi-chunk vs multiple records\n  * plugin/file: preserve case in SRV record names and targets per RFC 6763\n  * fix(auto/file): return REFUSED when no next plugin is available (#7381)\n  * Port to AWS Go SDK v2 (#6588)\n  * fix(cache): data race when refreshing cached messages (#7398)\n  * fix(cache): data race when updating the TTL of cached messages (#7397)\n  * chore: fix docs incompatibility (#7390)\n  * plugin/rewrite: Add EDNS0 Unset Action (#7380)\n  * add args: startup_timeout for kubernetes plugin (#7068)\n  * [plugin/cache] create a copy of a response to ensure original data is never\n     modified\n  * Add support for fallthrough to the grpc plugin (#7359)\n  * view: Add IPv6 example match (#7355)\n  * chore: enable more rules from revive (#7352)\n  * chore: enable early-return and superfluous-else from revive (#7129)\n  * test(plugin): improve tests for auto (#7348)\n  * fix(proxy): flaky dial tests (#7349)\n  * test: add t.Helper() calls to test helper functions (#7351)\n  * fix(kubernetes): multicluster DNS race condition (#7350)\n  * lint: enable wastedassign linter (#7340)\n  * test(plugin): add tests for any (#7341)\n  * Actually invoke make release -f Makefile.release during test (#7338)\n  * Keep golang to 1.24.2 due to build issues in 1.24.3 (#7337)\n  * lint: enable protogetter linter (#7336)\n  * lint: enable nolintlint linter (#7332)\n  * fix: missing intrange lint fix (#7333)\n  * perf(kubernetes): optimize AutoPath slice allocation (#7323)\n  * lint: enable intrange linter (#7331)\n  * feat(plugin/file): fallthrough (#7327)\n  * lint: enable canonicalheader linter (#7330)\n  * fix(proxy): avoid Dial hang after Transport stopped (#7321)\n  * test(plugin): add tests for pkg/rand (#7320)\n  * test(dnsserver): add unit tests for gRPC and QUIC servers (#7319)\n  * fix: loop variable capture and linter (#7328)\n  * lint: enable usetesting linter (#7322)\n  * test: skip certain network-specific tests on non-Linux (#7318)\n  * test(dnsserver): improve core/dnsserver test coverage (#7317)\n  * fix(metrics): preserve request size from plugins (#7313)\n  * fix: ensure DNS query name reset in plugin.NS error path (#7142)\n  * feat: enable plugins via environment during build (#7310)\n  * fix(plugin/bind): remove zone for link-local IPv4 (#7295)\n  * test(request): improve coverage across package (#7307)\n  * test(coremain): Add unit tests (#7308)\n  * ci(test-e2e): add Go version setup to workflow (#7309)\n  * kubernetes: add multicluster support (#7266)\n  * chore: Add new maintainer thevilledev (#7298)\n  * Update golangci-lint (#7294)\n  * feat: limit concurrent DoQ streams and goroutines (#7296)\n  * docs: add man page for multisocket plugin (#7297)\n  * Prepare for the k8s api upgrade (#7293)\n  * fix(rewrite): truncated upstream response (#7277)\n  * fix(plugin/secondary): make transfer property mandatory (#7249)\n  * plugin/bind: remove macOS bug mention in docs (#7250)\n  * Remove `?bla=foo:443` for `POST` DoH (#7257)\n  * Do not interrupt querying readiness probes for plugins (#6975)\n  * Added `SetProxyOptions` function for `forward` plugin (#7229)\n\n-  Backported quic-go PR #5094: Fix parsing of ifindex from packets\n   to ensure compatibility with big-endian architectures\n   (see quic-go/quic-go#4978, coredns/coredns#6682).\n\n- Update to version 1.12.1:\n  * core: Increase CNAME lookup limit from 7 to 10 (#7153)\n  * plugin/kubernetes: Fix handling of pods having DeletionTimestamp set\n  * plugin/kubernetes: Revert \"only create PTR records for endpoints with\n    hostname defined\"\n  * plugin/forward: added option failfast_all_unhealthy_upstreams to return\n    servfail if all upstreams are down\n  * bump dependencies, fixing bsc#1239294 and bsc#1239728\n\n- Update to version 1.12.0:\n  * New multisocket plugin - allows CoreDNS to listen on multiple sockets\n  * bump deps\n\n- Update to version 1.11.4:\n  * forward plugin: new option next, to try alternate upstreams when receiving\n    specified response codes upstreams on (functions like the external plugin\n    alternate)\n  * dnssec plugin: new option to load keys from AWS Secrets Manager\n  * rewrite plugin: new option to revert EDNS0 option rewrites in responses\n\n- Update to version 1.11.3+git129.387f34d:\n  * fix CVE-2024-51744 (https://bugzilla.suse.com/show_bug.cgi?id=1232991)\n    build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#6955)\n  * core: set cache-control max-age as integer, not float (#6764)\n  * Issue-6671: Fixed the order of plugins. (#6729)\n  * `root`: explicit mark `dnssec` support (#6753)\n  * feat: dnssec load keys from AWS Secrets Manager (#6618)\n  * fuzzing: fix broken oss-fuzz build (#6880)\n  * Replace k8s.io/utils/strings/slices by Go stdlib slices (#6863)\n  * Update .go-version to 1.23.2 (#6920)\n  * plugin/rewrite: Add \"revert\" parameter for EDNS0 options (#6893)\n  * Added OpenSSF Scorecard Badge (#6738)\n  * fix(cwd): Restored backwards compatibility of Current Workdir (#6731)\n  * fix: plugin/auto: call OnShutdown() for each zone at its own OnShutdown() (#6705)\n  * feature: log queue and buffer memory size configuration (#6591)\n  * plugin/bind: add zone for link-local IPv6 instead of skipping (#6547)\n  * only create PTR records for endpoints with hostname defined (#6898)\n  * fix: reverter should execute the reversion in reversed order (#6872)\n  * plugin/etcd: fix etcd connection leakage when reload (#6646)\n  * kubernetes: Add useragent (#6484)\n  * Update build (#6836)\n  * Update grpc library use (#6826)\n  * Bump go version from 1.21.11 to 1.21.12 (#6800)\n  * Upgrade antonmedv/expr to expr-lang/expr (#6814)\n  * hosts: add hostsfile as label for coredns_hosts_entries (#6801)\n  * fix TestCorefile1 panic for nil handling (#6802)\n","id":"openSUSE-SU-2026:20099-1","modified":"2026-01-24T09:09:32Z","published":"2026-01-24T09:09:32Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1239294"},{"type":"REPORT","url":"https://bugzilla.suse.com/1239728"},{"type":"REPORT","url":"https://bugzilla.suse.com/1249389"},{"type":"REPORT","url":"https://bugzilla.suse.com/1255345"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256411"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-51744"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58063"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-68156"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-68161"}],"related":["CVE-2024-51744","CVE-2025-58063","CVE-2025-68156","CVE-2025-68161"],"summary":"Security update for coredns","upstream":["CVE-2024-51744","CVE-2025-58063","CVE-2025-68156","CVE-2025-68161"]}