diff --git a/0001-plugin-reorder-rewrite-before-acl-to-prevent-bypass.patch b/0001-plugin-reorder-rewrite-before-acl-to-prevent-bypass.patch new file mode 100644 index 0000000000000000000000000000000000000000..158e6f37dbce404cc06c5c79053a1c570d4ef9a3 --- /dev/null +++ b/0001-plugin-reorder-rewrite-before-acl-to-prevent-bypass.patch @@ -0,0 +1,31 @@ +From 0c93dd88d756ef39c59e708d60fe2939b2dbdcb9 Mon Sep 17 00:00:00 2001 +From: clarehkli +Date: Wed, 11 Mar 2026 17:50:09 +0800 +Subject: [PATCH] plugin: reorder rewrite before acl to prevent bypass + +--- + plugin.cfg | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plugin.cfg b/plugin.cfg +index 6b3d716..9569bac 100644 +--- a/plugin.cfg ++++ b/plugin.cfg +@@ -42,13 +42,13 @@ log:log + dnstap:dnstap + local:local + dns64:dns64 +-acl:acl + any:any + chaos:chaos + loadbalance:loadbalance + tsig:tsig + cache:cache + rewrite:rewrite ++acl:acl + header:header + dnssec:dnssec + autopath:autopath +-- +2.43.7 + diff --git a/coredns.spec b/coredns.spec index 699aa2c6e84904f23750236c89bbc1b7f2a21b69..ef8331b800ca72aa0807deaeaa0f2567443bfde1 100644 --- a/coredns.spec +++ b/coredns.spec @@ -4,7 +4,7 @@ Summary: DNS server written in Go Name: coredns Version: 1.12.4 -Release: 2%{?dist} +Release: 3%{?dist} License: Apache-2.0 URL: https://coredns.io Source0: https://%{goipath}/archive/v%{version}/%{name}-%{version}.tar.gz @@ -14,6 +14,7 @@ Source2: Corefile Source3: coredns.service Patch5000: 0001-update-expr-to-v1.17.7-to-fix-CVE-2025-68156.patch +Patch5001: 0001-plugin-reorder-rewrite-before-acl-to-prevent-bypass.patch BuildRequires: fdupes golang >= 1.20 go-rpm-macros Provides: dns_daemon @@ -87,6 +88,10 @@ install -pm 0644 man/coredns-*.7 %{buildroot}/%{_mandir}/man7 %{_mandir}/man7/coredns-* %changelog +* Wed Mar 11 2026 clarehkli - 1.12.4-3 +- [Type] security +- [DESC] backport upstream patch to fix CVE-2026-26017 + * Mon Dec 29 2025 clarehkli - 1.12.4-2 - [Type] security - [DESC] bump github.com/expr-lang/expr to v1.17.7 to fix CVE-2025-68156