Security vulnerability: Go Package: github.com/Azure/go-autorest/autorest/adal reached EOL

[shwethadec01]

Dear CoreDNS Maintainers,

We've identified that the CoreDNS project includes a reference to the deprecated github.com/Azure/go-autorest/autorest/adal package (see go.mod reference). Since ADAL has reached end-of-life (EOL) and is no longer supported by Microsoft, we are assessing the implications for our dependency management and security posture.

Could you kindly confirm the following:

Has the ADAL dependency been removed or replaced in any of the recent CoreDNS releases?

If not, are there any plans to migrate to MSAL or another supported authentication library?

I had initially raised this concern via email with your security mailing list, but was informed that it may no longer be actively monitored. They recommended opening a GitHub issue instead, so I’m reaching out here for better visibility.

Appreciate your time and any guidance you can provide.
This issue came to our attention while reviewing RKE2 1.31.1, which includes rancher/hardened-coredns v1.11.1-build20240910

[manuelbuil]

Thanks for he heads up. We are rebuilding the code from upstream coredns: https://github.com/coredns/coredns. That project should replace that library so that we can reuse the change. Have you inform the upstream coredns project about this?