Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch coredns for CVE-2025-59530 [HIGH] - branch 3.0-dev" microsoft#14977

CBL-Mariner-Bot · azurelinux-security · jslobodzian · web-flow · commit 29bee5716397 · 2025-10-30T09:30:18.000-07:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/coredns/CVE-2025-59530.patch b/SPECS/coredns/CVE-2025-59530.patch
@@ -0,0 +1,33 @@
+From f68d11ccd859e1482e0be9b1ff8e3a45bc60f4f4 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 27 Oct 2025 09:18:52 +0000
+Subject: [PATCH] quic: drop initial keys on handshake confirmed; update tests
+ expectations accordingly
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/quic-go/quic-go/pull/5354.patch
+---
+ vendor/github.com/quic-go/quic-go/connection.go | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/vendor/github.com/quic-go/quic-go/connection.go b/vendor/github.com/quic-go/quic-go/connection.go
+index 1411a77..24d634f 100644
+--- a/vendor/github.com/quic-go/quic-go/connection.go
++++ b/vendor/github.com/quic-go/quic-go/connection.go
+@@ -772,6 +772,13 @@ func (s *connection) handleHandshakeComplete() error {
+ }
+ 
+ func (s *connection) handleHandshakeConfirmed() error {
++	// Drop initial keys.
++	// On the client side, this should have happened when sending the first Handshake packet,
++	// but this is not guaranteed if the server misbehaves.
++	// See CVE-2025-59530 for more details.
++	if err := s.dropEncryptionLevel(protocol.EncryptionInitial); err != nil {
++		return err
++	}
+ 	if err := s.dropEncryptionLevel(protocol.EncryptionHandshake); err != nil {
+ 		return err
+ 	}
+-- 
+2.45.4
+
diff --git a/SPECS/coredns/coredns.spec b/SPECS/coredns/coredns.spec
@@ -6,7 +6,7 @@
 Summary:        Fast and flexible DNS server
 Name:           coredns
 Version:        1.11.4
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        Apache License 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -42,6 +42,7 @@ Patch3:         CVE-2025-30204.patch
 Patch4:         CVE-2024-53259.patch
 Patch5:         CVE-2025-47950.patch
 Patch6:         CVE-2025-58063.patch
+Patch7:         CVE-2025-59530.patch
 
 BuildRequires:  golang < 1.25
 
@@ -83,6 +84,9 @@ go install github.com/fatih/faillint@latest && \
 %{_bindir}/%{name}
 
 %changelog
+* Mon Oct 27 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.11.4-11
+- Patch for CVE-2025-59530
+
 * Thu Sep 18 2025 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.11.4-10
 - Changed patch order to resolve 'make' race condition.
 
