Detections
Analytics
openSUSE 16 Security Update : coredns (openSUSE-SU-2026:20099-1)
medium Nessus Plugin ID 296576
Synopsis
The remote openSUSE host is missing one or more security updates.Description
The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20099-1 advisory.Changes in coredns:
- fix CVE-2025-68156 bsc#1255345
- fix CVE-2025-68161 bsc#1256411
- Update to version 1.14.0:
* core: Fix gosec G115 integer overflow warnings
* core: Add regex length limit
* plugin/azure: Fix slice init length
* plugin/errors: Add optional show_first flag to consolidate directive
* plugin/file: Fix for misleading SOA parser warnings
* plugin/kubernetes: Rate limits to api server
* plugin/metrics: Implement plugin chain tracking
* plugin/sign: Report parser err before missing SOA
* build(deps): bump github.com/expr-lang/expr from 1.17.6 to 1.17.7
- Update to version 1.13.2:
* core: Add basic support for DoH3
* core: Avoid proxy unnecessary alloc in Yield
* core: Fix usage of sync.Pool to save an alloc
* core: Fix data race with sync.RWMutex for uniq
* core: Prevent QUIC reload panic by lazily initializing the listener
* core: Refactor/use reflect.TypeFor
* plugin/auto: Limit regex length
* plugin/cache: Remove superfluous allocations in item.toMsg
* plugin/cache: Isolate metadata in prefetch goroutine
* plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil packages
* plugin/dnstap: Better error handling (redial & logging) when Dnstap is busy
* plugin/file: Performance finetuning
* plugin/forward: Disallow NOERROR in failover
* plugin/forward: Added support for per-nameserver TLS SNI
* plugin/forward: Prevent busy loop on connection err
* plugin/forward: Add max connect attempts knob
* plugin/geoip: Add ASN schema support
* plugin/geoip: Add support for subdivisions
* plugin/kubernetes: Fix kubernetes plugin logging
* plugin/multisocket: Cap num sockets to prevent OOM
* plugin/nomad: Support service filtering
* plugin/rewrite: Pre-compile CNAME rewrite regexp
* plugin/secondary: Fix reload causing secondary plugin goroutine to leak
- Update to version 1.13.1:
* core: Avoid string concatenation in loops
* core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes
* plugin/sign: Reject invalid UTF8 dbfile token
- Update to version 1.13.0:
* core: Export timeout values in dnsserver.Server
* core: Fix Corefile infinite loop on unclosed braces
* core: Fix Corefile related import cycle issue
* core: Normalize panics on invalid origins
* core: Rely on dns.Server.ShutdownContext to gracefully stop
* plugin/dnstap: Add bounds for plugin args
* plugin/file: Fix data race in tree Elem.Name
* plugin/forward: No failover to next upstream when receiving SERVFAIL or REFUSED response codes
* plugin/grpc: Enforce DNS message size limits
* plugin/loop: Prevent panic when ListenHosts is empty
* plugin/loop: Avoid panic on invalid server block
* plugin/nomad: Add a Nomad plugin
* plugin/reload: Prevent SIGTERM/reload deadlock
- fix CVE-2025-58063 bsc#1249389
- Update to version 1.12.4:
* bump deps
* fix(transfer): goroutine leak on axfr err (#7516)
* plugin/etcd: fix import order for ttl test (#7515)
* fix(grpc): check proxy list length in policies (#7512)
* fix(https): propagate HTTP request context (#7491)
* fix(plugin): guard nil lookups across plugins (#7494)
* lint: add missing prealloc to backend lookup test (#7510)
* fix(grpc): span leak on error attempt (#7487)
* test(plugin): improve backend lookup coverage (#7496)
* lint: enable prealloc (#7493)
* lint: enable durationcheck (#7492)
* Add Sophotech to adopters list (#7495)
* plugin: Use %w to wrap user error (#7489)
* fix(metrics): add timeouts to metrics HTTP server (#7469)
* chore(ci): restrict token permissions (#7470)
* chore(ci): pin workflow dependencies (#7471)
* fix(forward): use netip package for parsing (#7472)
* test(plugin): improve test coverage for pprof (#7473)
* build(deps): bump github.com/go-viper/mapstructure/v2 (#7468)
* plugin/file: fix label offset problem in ClosestEncloser (#7465)
* feat(trace): migrate dd-trace-go v1 to v2 (#7466)
* test(multisocket): deflake restart by using a fresh port and coordinated cleanup (#7438)
* chore: update Go version to 1.24.6 (#7437)
* plugin/header: Remove deprecated syntax (#7436)
* plugin/loadbalance: support prefer option (#7433)
* Improve caddy.GracefulServer conformance checks (#7416)
- Update to version 1.12.3:
* chore: Minor changes to `Dockerfile` (#7428)
* Properly create hostname from IPv6 (#7431)
* Bump deps
* fix: handle cached connection closure in forward plugin (#7427)
* plugin/test: fix TXT record comparison for multi-chunk vs multiple records
* plugin/file: preserve case in SRV record names and targets per RFC 6763
* fix(auto/file): return REFUSED when no next plugin is available (#7381)
* Port to AWS Go SDK v2 (#6588)
* fix(cache): data race when refreshing cached messages (#7398)
* fix(cache): data race when updating the TTL of cached messages (#7397)
* chore: fix docs incompatibility (#7390)
* plugin/rewrite: Add EDNS0 Unset Action (#7380)
* add args: startup_timeout for kubernetes plugin (#7068)
* [plugin/cache] create a copy of a response to ensure original data is never modified
* Add support for fallthrough to the grpc plugin (#7359)
* view: Add IPv6 example match (#7355)
* chore: enable more rules from revive (#7352)
* chore: enable early-return and superfluous-else from revive (#7129)
* test(plugin): improve tests for auto (#7348)
* fix(proxy): flaky dial tests (#7349)
* test: add t.Helper() calls to test helper functions (#7351)
* fix(kubernetes): multicluster DNS race condition (#7350)
* lint: enable wastedassign linter (#7340)
* test(plugin): add tests for any (#7341)
* Actually invoke make release -f Makefile.release during test (#7338)
* Keep golang to 1.24.2 due to build issues in 1.24.3 (#7337)
* lint: enable protogetter linter (#7336)
* lint: enable nolintlint linter (#7332)
* fix: missing intrange lint fix (#7333)
* perf(kubernetes): optimize AutoPath slice allocation (#7323)
* lint: enable intrange linter (#7331)
* feat(plugin/file): fallthrough (#7327)
* lint: enable canonicalheader linter (#7330)
* fix(proxy): avoid Dial hang after Transport stopped (#7321)
* test(plugin): add tests for pkg/rand (#7320)
* test(dnsserver): add unit tests for gRPC and QUIC servers (#7319)
* fix: loop variable capture and linter (#7328)
* lint: enable usetesting linter (#7322)
* test: skip certain network-specific tests on non-Linux (#7318)
* test(dnsserver): improve core/dnsserver test coverage (#7317)
* fix(metrics): preserve request size from plugins (#7313)
* fix: ensure DNS query name reset in plugin.NS error path (#7142)
* feat: enable plugins via environment during build (#7310)
* fix(plugin/bind): remove zone for link-local IPv4 (#7295)
* test(request): improve coverage across package (#7307)
* test(coremain): Add unit tests (#7308)
* ci(test-e2e): add Go version setup to workflow (#7309)
* kubernetes: add multicluster support (#7266)
* chore: Add new maintainer thevilledev (#7298)
* Update golangci-lint (#7294)
* feat: limit concurrent DoQ streams and goroutines (#7296)
* docs: add man page for multisocket plugin (#7297)
* Prepare for the k8s api upgrade (#7293)
* fix(rewrite): truncated upstream response (#7277)
* fix(plugin/secondary): make transfer property mandatory (#7249)
* plugin/bind: remove macOS bug mention in docs (#7250)
* Remove `?bla=foo:443` for `POST` DoH (#7257)
* Do not interrupt querying readiness probes for plugins (#6975)
* Added `SetProxyOptions` function for `forward` plugin (#7229)
- Backported quic-go PR #5094: Fix parsing of ifindex from packets to ensure compatibility with big-endian architectures (see quic-go/quic-go#4978, coredns/coredns#6682).
- Update to version 1.12.1:
* core: Increase CNAME lookup limit from 7 to 10 (#7153)
* plugin/kubernetes: Fix handling of pods having DeletionTimestamp set
* plugin/kubernetes: Revert only create PTR records for endpoints with hostname defined
* plugin/forward: added option failfast_all_unhealthy_upstreams to return servfail if all upstreams are down
* bump dependencies, fixing bsc#1239294 and bsc#1239728
- Update to version 1.12.0:
* New multisocket plugin - allows CoreDNS to listen on multiple sockets
* bump deps
- Update to version 1.11.4:
* forward plugin: new option next, to try alternate upstreams when receiving specified response codes upstreams on (functions like the external plugin alternate)
* dnssec plugin: new option to load keys from AWS Secrets Manager
* rewrite plugin: new option to revert EDNS0 option rewrites in responses
- Update to version 1.11.3+git129.387f34d:
* fix CVE-2024-51744 (https://bugzilla.suse.com/show_bug.cgi?id=1232991) build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#6955)
* core: set cache-control max-age as integer, not float (#6764)
* Issue-6671: Fixed the order of plugins. (#6729)
* `root`: explicit mark `dnssec` support (#6753)
* feat: dnssec load keys from AWS Secrets Manager (#6618)
* fuzzing: fix broken oss-fuzz build (#6880)
* Replace k8s.io/utils/strings/slices by Go stdlib slices (#6863)
* Update .go-version to 1.23.2 (#6920)
* plugin/rewrite: Add revert parameter for EDNS0 options (#6893)
* Added OpenSSF Scorecard Badge (#6738)
* fix(cwd): Restored backwards compatibility of Current Workdir (#6731)
* fix: plugin/auto: call OnShutdown() for each zone at its own OnShutdown() (#6705)
* feature: log queue and buffer memory size configuration (#6591)
* plugin/bind: add zone for link-local IPv6 instead of skipping (#6547)
* only create PTR records for endpoints with hostname defined (#6898)
* fix: reverter should execute the reversion in reversed order (#6872)
* plugin/etcd: fix etcd connection leakage when reload (#6646)
* kubernetes: Add useragent (#6484)
* Update build (#6836)
* Update grpc library use (#6826)
* Bump go version from 1.21.11 to 1.21.12 (#6800)
* Upgrade antonmedv/expr to expr-lang/expr (#6814)
* hosts: add hostsfile as label for coredns_hosts_entries (#6801)
* fix TestCorefile1 panic for nil handling (#6802)
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected coredns and / or coredns-extras packages.See Also
https://bugzilla.suse.com/1239294
https://bugzilla.suse.com/1239728
https://bugzilla.suse.com/1249389
https://bugzilla.suse.com/1255345
https://bugzilla.suse.com/1256411
https://www.suse.com/security/cve/CVE-2024-51744
https://www.suse.com/security/cve/CVE-2025-58063
Plugin Details
Severity: Medium
ID: 296576
File Name: openSUSE-2026-20099-1.nasl
Version: 1.1
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 1/26/2026
Updated: 1/26/2026
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 4
Temporal Score: 3.1
Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N
CVSS Score Source: CVE-2025-68161
CVSS v3
Risk Factor: Medium
Base Score: 4.8
Temporal Score: 4.3
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS v4
Risk Factor: Medium
Base Score: 6.3
Threat Score: 2.9
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N
Vulnerability Information
CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:coredns, p-cpe:/a:novell:opensuse:coredns-extras
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 1/24/2026
Vulnerability Publication Date: 11/4/2024
Reference Information
CVE: CVE-2024-51744, CVE-2025-58063, CVE-2025-68156, CVE-2025-68161