Multiple CVEs in k8s-dns-node-cache:1.26.7 (libssl3, k8s.io/kubernetes, quic-go)

[jonathanlowe-wk]

Summary

The latest k8s-dns-node-cache image tag (1.26.7) contains the following unpatched CVEs detected by Grype scan:

CVE ID	Package	Current Version	Fixed In	Severity
CVE-2025-15467	libssl3	3.0.17-1~deb12u3	3.0.18-1~deb12u2	Critical (CVSS 9.8)
CVE-2025-13281	k8s.io/kubernetes	v1.34.1	1.34.2	Medium
CVE-2025-64702	github.com/quic-go/quic-go	v0.55.0	0.57.0	Medium

Impact

These CVEs are detected by Grype scans of the published registry.k8s.io/dns/k8s-dns-node-cache:1.26.7 image. Downstream consumers who pin to this tag cannot remediate without an upstream rebuild or new release.

Request

Could the k8s-dns-node-cache image be rebuilt with updated dependencies, or a new patch release be published that addresses these vulnerabilities? Specifically:

1. Rebuild the Debian base layer to pick up libssl3 >= 3.0.18-1~deb12u2
2. Update k8s.io/kubernetes to >= 1.34.2
3. Update github.com/quic-go/quic-go to >= 0.57.0

[danwinship]

The kubernetes/dns repo is going to be archived, and the node-local-dns code has been moved to a new repo, https://github.com/kubernetes-sigs/node-local-dns. Unfortunately, it doesn't seem to be possible to move an issue to a repo in another GitHub org.

If this issue is still a problem, please file a new issue at https://github.com/kubernetes-sigs/node-local-dns/issues/new/choose and include a link back to this one in the description.

[brandond]

@danwinship was there a community meeting or kubecon session where this plan was announced? Where can we look to find more context on this decision?

[danwinship]

It was discussed at the SIG meeting on Feb 26, and then announced on the mailing list.

I guess my comment before wasn't totally clear: the kubernetes/dns repo is currently home to both kube-dns and Node-Local DNS Cache, which are completely separate unrelated pieces of kubernetes-dns-related software. We are deprecating kube-dns, and moving Node-Local DNS Cache to a new repo (under kubernetes-sigs which is where SIG subprojects are supposed to go these days) and then archiving kubernetes/dns.

[jonathanlowe-wk]

@danwinship does this also mean that #756 which would fix these CVEs won't be getting merged in this repo?

[lu3ke]

The kubernetes/dns repo is going to be archived, and the node-local-dns code has been moved to a new repo, https://github.com/kubernetes-sigs/node-local-dns.

Is there an expected release timeline for the new one?