Security update for coredns
This update for coredns fixes the following issues:
Update to version 1.14.2:
- CVE-2026-26017: Fixed DNS access control bypass due to default execution
order of plugins and TOCTOU flaw (bsc#1259320).
- CVE-2026-26018: Fixed denial of service in the loop detection plugin due to
predictable PRNG combined with fatal error handler (bsc#1259319).
Update to version 1.14.1:
- This release primarily addresses security vulnerabilities affecting Go
versions prior to Go 1.25.6 and Go 1.24.12 (CVE-2025-61728, CVE-2025-61726,
CVE-2025-68121, CVE-2025-61731, CVE-2025-68119).
- CVE-2025-68156: Fixed uncontrolled recursion in expression evaluation can
cause a denial of service (bsc#1255345).
-
Submitted by
Andrea Manzini (amanzini)
Fixed bugs
bnc#1259319
VUL-0: CVE-2026-26018: coredns: denial of service in the loop detection plugin due to predictable PRNG combined with fatal error handler
bnc#1259320
VUL-0: CVE-2026-26017: coredns: DNS access control bypass due to default execution order of plugins and TOCTOU flaw
bnc#1255345
VUL-0: CVE-2025-68156: coredns: github.com/expr-lang/expr/builtin: uncontrolled recursion in expression evaluation can cause a denial of service
