[AutoPR- Security] Patch coredns for CVE-2025-59530 [HIGH] (microsoft#14932)

Author: azurelinux-security

SPECS/coredns/CVE-2025-59530.patch

@@ -0,0 +1,35 @@
+From 5f56167b5c866aa8f9fd19cca43621776c99c98e Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Mon, 27 Oct 2025 09:31:02 +0000
+Subject: [PATCH] vendor/quic-go: drop initial packets when the handshake is
+ confirmed
+
+Drop Initial keys at handshake confirmation. On the client side, this should have happened when sending the first Handshake packet, but this is not guaranteed if the server misbehaves. See CVE-2025-59530 for more details.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/quic-go/quic-go/pull/5354.patch
+---
+ vendor/github.com/quic-go/quic-go/connection.go | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/vendor/github.com/quic-go/quic-go/connection.go b/vendor/github.com/quic-go/quic-go/connection.go
+index abae204..4e95dad 100644
+--- a/vendor/github.com/quic-go/quic-go/connection.go
++++ b/vendor/github.com/quic-go/quic-go/connection.go
+@@ -761,6 +761,13 @@ func (s *connection) handleHandshakeComplete() error {
+ }
+ 
+ func (s *connection) handleHandshakeConfirmed() error {
++	// Drop initial keys.
++	// On the client side, this should have happened when sending the first Handshake packet,
++	// but this is not guaranteed if the server misbehaves.
++	// See CVE-2025-59530 for more details.
++	if err := s.dropEncryptionLevel(protocol.EncryptionInitial); err != nil {
++		return err
++	}
+ 	if err := s.dropEncryptionLevel(protocol.EncryptionHandshake); err != nil {
+ 		return err
+ 	}
+-- 
+2.45.4
+

SPECS/coredns/coredns.spec

@@ -3,7 +3,7 @@
 Summary:        Fast and flexible DNS server
 Name:           coredns
 Version:        1.11.1
-Release:        23%{?dist}
+Release:        24%{?dist}
 License:        Apache License 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -47,6 +47,7 @@ Patch11:        CVE-2025-29786.patch
 Patch12:        CVE-2024-51744.patch
 Patch13:        CVE-2025-47950.patch
 Patch14:        CVE-2025-58063.patch
+Patch15:        CVE-2025-59530.patch
 
 BuildRequires:  msft-golang
 
@@ -85,6 +86,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
 %{_bindir}/%{name}
 
 %changelog
+* Mon Oct 27 2025 Azure Linux Security Servicing Account <[email protected]> - 1.11.1-24
+- Patch for CVE-2025-59530
+
 * Tue Oct 14 2025 Kanishk Bansal <[email protected]> - 1.11.1-23
 - Bump to build with latest golang 1.24.9