[Medium] Patch coredns for CVE-2025-68151

[v-aaditya]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Patch coredns for CVE-2025-68151

• Upstream patch has been backported manually.

• Patch for https3 module has not been included as this module does not exist in our version of coredns.

• vendor/golang.org/x/net/netutil/listen.go has been added to vendor directory and updated "module.txt" for the same.

• 2 test cases from upstream patch are not included in test/grpc_test.go file as a lot of code to has to be added for few missing APIs.

• Updated go language to 1.22.0 from 1.20 in go.mod file as some parts of the patch were not compiling with go 1.20.

• Upstream Patch Reference: https://github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812.patch

Change Log

• modified: SPECS/coredns/coredns.spec
• new file: SPECS/coredns/CVE-2025-68151.patch

Does this affect the toolchain?

NO

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-68151

Test Methodology

• Local build was successful.

• License check script shows no warning.

• Build log
  coredns-1.11.1-25.cm2.src.rpm.log
  coredns-1.11.1-25.cm2.src.rpm.test.log

• Patch applies cleanly

• Installation Check

• Uninstallation Check

[Kanishk-Bansal]

Buddy Build

[v-aaditya]

Buddy Build

Buddy Build has passed !

[suresh-thelkar]

It seems couple of tests from test/grpc_test.go are excluded. As long as they do not belong to the code changes made as per this patch or in any way they affect the changes we are good. Code changes look good to me. Since the changes are huge in nature, It would be better if we can run full build and make sure everything goes fine.

[Kanishk-Bansal]

Full Build

[v-aaditya]

Full Build

Full build has passed !

[kgodara912]

Waiting for full build results. The pass is the prepare pipeline and not the actual runs.

[v-aaditya]

Waiting for full build results. The pass is the prepare pipeline and not the actual runs.

Full build has failed in these 3 scenarios and seems unrelated to this PR -

Extended -

1. https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1033606&view=results
   Failed to build pngcrush-1.8.13-11.cm2.src.rpm SRPM.
2. https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1033367&view=results
   Failed to build multiple SRPMs.

ContainerTests -

1. https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1033742&view=results
   Test for kubevirt package has failed.

CC: @kgodara912