[AutoPR- Security] Patch coredns for CVE-2026-26018, CVE-2026-26017 [HIGH] (#16160)

azurelinux-security · akhila-guruju · jslobodzian · web-flow · commit bd14562647d1 · 2026-03-13T09:37:29.000-04:00
Co-authored-by: akhila-guruju &lt;v-guakhila@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/coredns/CVE-2026-26017.patch b/SPECS/coredns/CVE-2026-26017.patch
@@ -0,0 +1,71 @@
+From e4b9a976441491881377947a200f414c7961e936 Mon Sep 17 00:00:00 2001
+From: younevsky <younevsky@gmail.com>
+Date: Wed, 25 Feb 2026 00:34:31 +0000
+Subject: [PATCH] plugin: reorder rewrite before acl to prevent bypass
+
+Signed-off-by: younevsky <younevsky@gmail.com>
+
+Upstream Patch reference: https://github.com/coredns/coredns/pull/7882.patch
+
+Makefile target for the two z*.go files depends on plugin.cfg.
+So the change in plugin.cfg will trigger the rebuild of the two z*.go files.
+---
+ plugin.cfg                    | 2 +-
+ core/dnsserver/zdirectives.go | 2 +-
+ core/plugin/zplugin.go        | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/plugin.cfg b/plugin.cfg
+index 081a57e..42b5414 100644
+--- a/plugin.cfg
++++ b/plugin.cfg
+@@ -43,13 +43,13 @@ log:log
+ dnstap:dnstap
+ local:local
+ dns64:dns64
+-acl:acl
+ any:any
+ chaos:chaos
+ loadbalance:loadbalance
+ tsig:tsig
+ cache:cache
+ rewrite:rewrite
++acl:acl
+ header:header
+ dnssec:dnssec
+ autopath:autopath
+diff --git a/core/dnsserver/zdirectives.go b/core/dnsserver/zdirectives.go
+index bc4b086..66e2aec 100644
+--- a/core/dnsserver/zdirectives.go
++++ b/core/dnsserver/zdirectives.go
+@@ -34,13 +34,13 @@ var Directives = []string{
+ 	"dnstap",
+ 	"local",
+ 	"dns64",
+-	"acl",
+ 	"any",
+ 	"chaos",
+ 	"loadbalance",
+ 	"tsig",
+ 	"cache",
+ 	"rewrite",
++	"acl",
+ 	"header",
+ 	"dnssec",
+ 	"autopath",
+diff --git a/core/plugin/zplugin.go b/core/plugin/zplugin.go
+index a357ddc..aa9d009 100644
+--- a/core/plugin/zplugin.go
++++ b/core/plugin/zplugin.go
+@@ -3,7 +3,7 @@
+ package plugin
+ 
+ import (
+-	// Include all plugins.
++	// Include all the plugins.
+ 	_ "github.com/coredns/caddy/onevent"
+ 	_ "github.com/coredns/coredns/plugin/acl"
+ 	_ "github.com/coredns/coredns/plugin/any"
+-- 
+2.43.0
+
diff --git a/SPECS/coredns/CVE-2026-26018.patch b/SPECS/coredns/CVE-2026-26018.patch
@@ -0,0 +1,61 @@
+From 02391769e4f3eff1d5bace4c82505c213b495625 Mon Sep 17 00:00:00 2001
+From: YOUNEVSKY <77975903+younevsky@users.noreply.github.com>
+Date: Wed, 25 Feb 2026 10:21:04 +0000
+Subject: [PATCH] plugin/loop: use crypto/rand for query name generation
+ (#7881)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/coredns/coredns/commit/7ae1c40db200a29d8160707bcffb232c53a2005c.patch
+---
+ plugin/loop/setup.go | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/plugin/loop/setup.go b/plugin/loop/setup.go
+index 4e076c6..5d9d5b5 100644
+--- a/plugin/loop/setup.go
++++ b/plugin/loop/setup.go
+@@ -1,6 +1,8 @@
+ package loop
+ 
+ import (
++	"crypto/rand"
++	"math/big"
+ 	"net"
+ 	"strconv"
+ 	"time"
+@@ -9,7 +11,6 @@ import (
+ 	"github.com/coredns/coredns/core/dnsserver"
+ 	"github.com/coredns/coredns/plugin"
+ 	"github.com/coredns/coredns/plugin/pkg/dnsutil"
+-	"github.com/coredns/coredns/plugin/pkg/rand"
+ )
+ 
+ func init() { plugin.Register("loop", setup) }
+@@ -76,12 +77,20 @@ func parse(c *caddy.Controller) (*Loop, error) {
+ 	return New(zones[0]), nil
+ }
+ 
+-// qname returns a random name. <rand.Int()>.<rand.Int().<zone>.
++// qname returns a secure random name: <random-int>.<random-int>.<zone>.
+ func qname(zone string) string {
+-	l1 := strconv.Itoa(r.Int())
+-	l2 := strconv.Itoa(r.Int())
++	l1 := secureRandIntString()
++	l2 := secureRandIntString()
+ 
+ 	return dnsutil.Join(l1, l2, zone)
+ }
+ 
+-var r = rand.New(time.Now().UnixNano())
++func secureRandIntString() string {
++	// Generate a random 62-bit integer
++	n, err := rand.Int(rand.Reader, big.NewInt(1<<62))
++	if err != nil {
++		// Fallback to startup time in case rand.Reader is unavailable
++		return strconv.FormatInt(time.Now().UnixNano(), 10)
++	}
++	return n.String()
++}
+-- 
+2.45.4
+
diff --git a/SPECS/coredns/coredns.spec b/SPECS/coredns/coredns.spec
@@ -3,7 +3,7 @@
 Summary:        Fast and flexible DNS server
 Name:           coredns
 Version:        1.11.1
-Release:        25%{?dist}
+Release:        26%{?dist}
 License:        Apache License 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -49,6 +49,8 @@ Patch13:        CVE-2025-47950.patch
 Patch14:        CVE-2025-58063.patch
 Patch15:        CVE-2025-59530.patch
 Patch16:        CVE-2025-68151.patch
+Patch17:        CVE-2026-26017.patch
+Patch18:        CVE-2026-26018.patch
 
 BuildRequires:  msft-golang
 
@@ -87,6 +89,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
 %{_bindir}/%{name}
 
 %changelog
+* Wed Mar 11 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.11.1-26
+- Patch for CVE-2026-26018, CVE-2026-26017
+
 * Mon Jan 19 2026 Aditya Singh <v-aditysing@microsoft.com> - 1.11.1-25
 - Patch for CVE-2025-68151
 
