VYPR

rpm package

opensuse/coredns&distro=openSUSE Leap 16.0

pkg:rpm/opensuse/coredns&distro=openSUSE%20Leap%2016.0

Vulnerabilities (11)

  • CVE-2026-26017Mar 6, 2026
    affected < 1.14.2-bp160.1.1fixed 1.14.2-bp160.1.1

    CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a T

  • CVE-2026-26018Mar 6, 2026
    affected < 1.14.2-bp160.1.1fixed 1.14.2-bp160.1.1

    CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a pr

  • CVE-2025-68121CriFeb 5, 2026
    affected < 1.14.2-bp160.1.1fixed 1.14.2-bp160.1.1

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-61728Jan 28, 2026
    affected < 1.14.2-bp160.1.1fixed 1.14.2-bp160.1.1

    archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

  • CVE-2025-61726Jan 28, 2026
    affected < 1.14.2-bp160.1.1fixed 1.14.2-bp160.1.1

    The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la

  • CVE-2025-61731Jan 28, 2026
    affected < 1.14.2-bp160.1.1fixed 1.14.2-bp160.1.1

    Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can

  • CVE-2025-68119Jan 28, 2026
    affected < 1.14.2-bp160.1.1fixed 1.14.2-bp160.1.1

    Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are

  • CVE-2025-68161Dec 18, 2025
    affected < 1.14.0-bp160.1.1fixed 1.14.0-bp160.1.1

    The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co

  • CVE-2025-68156Dec 16, 2025
    affected < 1.14.0-bp160.1.1fixed 1.14.0-bp160.1.1

    Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursi

  • CVE-2025-58063HigSep 9, 2025
    affected < 1.14.0-bp160.1.1fixed 1.14.0-bp160.1.1

    CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a Do

  • CVE-2024-51744LowNov 4, 2024
    affected < 1.14.0-bp160.1.1fixed 1.14.0-bp160.1.1

    golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r