From 0fe8f82c50f44b8720848724952537bdd14765e5 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Wed, 11 Mar 2026 06:00:59 +0000
Subject: [PATCH 1/2] Patch coredns for CVE-2026-26018, CVE-2026-26017

---
 SPECS/coredns/CVE-2026-26017.patch | 34 +++++++++++++++++
 SPECS/coredns/CVE-2026-26018.patch | 61 ++++++++++++++++++++++++++++++
 SPECS/coredns/coredns.spec         |  7 +++-
 3 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/coredns/CVE-2026-26017.patch
 create mode 100644 SPECS/coredns/CVE-2026-26018.patch

diff --git a/SPECS/coredns/CVE-2026-26017.patch b/SPECS/coredns/CVE-2026-26017.patch
new file mode 100644
index 00000000000..a459c86880e
--- /dev/null
+++ b/SPECS/coredns/CVE-2026-26017.patch
@@ -0,0 +1,34 @@
+From 354eb049d394e3c54ef3583ea0c069d0f39d28a2 Mon Sep 17 00:00:00 2001
+From: younevsky <younevsky@gmail.com>
+Date: Wed, 25 Feb 2026 00:34:31 +0000
+Subject: [PATCH] plugin: reorder rewrite before acl to prevent bypass
+
+Signed-off-by: younevsky <younevsky@gmail.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/coredns/coredns/pull/7882.patch
+---
+ plugin.cfg | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugin.cfg b/plugin.cfg
+index b41f941..122128d 100644
+--- a/plugin.cfg
++++ b/plugin.cfg
+@@ -43,13 +43,13 @@ log:log
+ dnstap:dnstap
+ local:local
+ dns64:dns64
+-acl:acl
+ any:any
+ chaos:chaos
+ loadbalance:loadbalance
+ tsig:tsig
+ cache:cache
+ rewrite:rewrite
++acl:acl
+ header:header
+ dnssec:dnssec
+ autopath:autopath
+-- 
+2.45.4
+
diff --git a/SPECS/coredns/CVE-2026-26018.patch b/SPECS/coredns/CVE-2026-26018.patch
new file mode 100644
index 00000000000..fae874da433
--- /dev/null
+++ b/SPECS/coredns/CVE-2026-26018.patch
@@ -0,0 +1,61 @@
+From 02391769e4f3eff1d5bace4c82505c213b495625 Mon Sep 17 00:00:00 2001
+From: YOUNEVSKY <77975903+younevsky@users.noreply.github.com>
+Date: Wed, 25 Feb 2026 10:21:04 +0000
+Subject: [PATCH] plugin/loop: use crypto/rand for query name generation
+ (#7881)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/coredns/coredns/commit/7ae1c40db200a29d8160707bcffb232c53a2005c.patch
+---
+ plugin/loop/setup.go | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/plugin/loop/setup.go b/plugin/loop/setup.go
+index 4e076c6..5d9d5b5 100644
+--- a/plugin/loop/setup.go
++++ b/plugin/loop/setup.go
+@@ -1,6 +1,8 @@
+ package loop
+ 
+ import (
++	"crypto/rand"
++	"math/big"
+ 	"net"
+ 	"strconv"
+ 	"time"
+@@ -9,7 +11,6 @@ import (
+ 	"github.com/coredns/coredns/core/dnsserver"
+ 	"github.com/coredns/coredns/plugin"
+ 	"github.com/coredns/coredns/plugin/pkg/dnsutil"
+-	"github.com/coredns/coredns/plugin/pkg/rand"
+ )
+ 
+ func init() { plugin.Register("loop", setup) }
+@@ -76,12 +77,20 @@ func parse(c *caddy.Controller) (*Loop, error) {
+ 	return New(zones[0]), nil
+ }
+ 
+-// qname returns a random name. <rand.Int()>.<rand.Int().<zone>.
++// qname returns a secure random name: <random-int>.<random-int>.<zone>.
+ func qname(zone string) string {
+-	l1 := strconv.Itoa(r.Int())
+-	l2 := strconv.Itoa(r.Int())
++	l1 := secureRandIntString()
++	l2 := secureRandIntString()
+ 
+ 	return dnsutil.Join(l1, l2, zone)
+ }
+ 
+-var r = rand.New(time.Now().UnixNano())
++func secureRandIntString() string {
++	// Generate a random 62-bit integer
++	n, err := rand.Int(rand.Reader, big.NewInt(1<<62))
++	if err != nil {
++		// Fallback to startup time in case rand.Reader is unavailable
++		return strconv.FormatInt(time.Now().UnixNano(), 10)
++	}
++	return n.String()
++}
+-- 
+2.45.4
+
diff --git a/SPECS/coredns/coredns.spec b/SPECS/coredns/coredns.spec
index baf3ec47eab..9c1038fdce1 100644
--- a/SPECS/coredns/coredns.spec
+++ b/SPECS/coredns/coredns.spec
@@ -3,7 +3,7 @@
 Summary:        Fast and flexible DNS server
 Name:           coredns
 Version:        1.11.1
-Release:        25%{?dist}
+Release:        26%{?dist}
 License:        Apache License 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -49,6 +49,8 @@ Patch13:        CVE-2025-47950.patch
 Patch14:        CVE-2025-58063.patch
 Patch15:        CVE-2025-59530.patch
 Patch16:        CVE-2025-68151.patch
+Patch17:        CVE-2026-26017.patch
+Patch18:        CVE-2026-26018.patch
 
 BuildRequires:  msft-golang
 
@@ -87,6 +89,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name}
 %{_bindir}/%{name}
 
 %changelog
+* Wed Mar 11 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.11.1-26
+- Patch for CVE-2026-26018, CVE-2026-26017
+
 * Mon Jan 19 2026 Aditya Singh <v-aditysing@microsoft.com> - 1.11.1-25
 - Patch for CVE-2025-68151
 

From 4a528a224e353c2c183aaf227d77563ff07ab657 Mon Sep 17 00:00:00 2001
From: akhila-guruju <v-guakhila@microsoft.com>
Date: Wed, 11 Mar 2026 08:17:20 +0000
Subject: [PATCH 2/2] modify patch to fix build

---
 SPECS/coredns/CVE-2026-26017.patch | 51 ++++++++++++++++++++++++++----
 1 file changed, 44 insertions(+), 7 deletions(-)

diff --git a/SPECS/coredns/CVE-2026-26017.patch b/SPECS/coredns/CVE-2026-26017.patch
index a459c86880e..ec6dcfc34ac 100644
--- a/SPECS/coredns/CVE-2026-26017.patch
+++ b/SPECS/coredns/CVE-2026-26017.patch
@@ -1,17 +1,22 @@
-From 354eb049d394e3c54ef3583ea0c069d0f39d28a2 Mon Sep 17 00:00:00 2001
+From e4b9a976441491881377947a200f414c7961e936 Mon Sep 17 00:00:00 2001
 From: younevsky <younevsky@gmail.com>
 Date: Wed, 25 Feb 2026 00:34:31 +0000
 Subject: [PATCH] plugin: reorder rewrite before acl to prevent bypass
 
 Signed-off-by: younevsky <younevsky@gmail.com>
-Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
-Upstream-reference: https://github.com/coredns/coredns/pull/7882.patch
+
+Upstream Patch reference: https://github.com/coredns/coredns/pull/7882.patch
+
+Makefile target for the two z*.go files depends on plugin.cfg.
+So the change in plugin.cfg will trigger the rebuild of the two z*.go files.
 ---
- plugin.cfg | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ plugin.cfg                    | 2 +-
+ core/dnsserver/zdirectives.go | 2 +-
+ core/plugin/zplugin.go        | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/plugin.cfg b/plugin.cfg
-index b41f941..122128d 100644
+index 081a57e..42b5414 100644
 --- a/plugin.cfg
 +++ b/plugin.cfg
 @@ -43,13 +43,13 @@ log:log
@@ -29,6 +34,38 @@ index b41f941..122128d 100644
  header:header
  dnssec:dnssec
  autopath:autopath
+diff --git a/core/dnsserver/zdirectives.go b/core/dnsserver/zdirectives.go
+index bc4b086..66e2aec 100644
+--- a/core/dnsserver/zdirectives.go
++++ b/core/dnsserver/zdirectives.go
+@@ -34,13 +34,13 @@ var Directives = []string{
+ 	"dnstap",
+ 	"local",
+ 	"dns64",
+-	"acl",
+ 	"any",
+ 	"chaos",
+ 	"loadbalance",
+ 	"tsig",
+ 	"cache",
+ 	"rewrite",
++	"acl",
+ 	"header",
+ 	"dnssec",
+ 	"autopath",
+diff --git a/core/plugin/zplugin.go b/core/plugin/zplugin.go
+index a357ddc..aa9d009 100644
+--- a/core/plugin/zplugin.go
++++ b/core/plugin/zplugin.go
+@@ -3,7 +3,7 @@
+ package plugin
+ 
+ import (
+-	// Include all plugins.
++	// Include all the plugins.
+ 	_ "github.com/coredns/caddy/onevent"
+ 	_ "github.com/coredns/coredns/plugin/acl"
+ 	_ "github.com/coredns/coredns/plugin/any"
 -- 
-2.45.4
+2.43.0