ALAS2023-2026-1755

References: CVE-2026-3039  CVE-2026-3592  CVE-2026-5946  CVE-2026-5950 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Fix GSS-API resource leak (CVE-2026-3039)

Limit resolver server list size (CVE-2026-3592)

An unauthenticated remote attacker can crash any affected named instance with a single crafted DNS message, causing denial of service. Both authoritative servers and resolvers are affected. (CVE-2026-5946)

Avoid unbounded recursion loop (CVE-2026-5950)

Issue Correction:
Run dnf update bind --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1755 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    bind-dnssec-utils-9.18.49-1.amzn2023.0.1.aarch64
    bind-dnssec-utils-debuginfo-9.18.49-1.amzn2023.0.1.aarch64
    bind-debuginfo-9.18.49-1.amzn2023.0.1.aarch64
    bind-chroot-9.18.49-1.amzn2023.0.1.aarch64
    bind-libs-debuginfo-9.18.49-1.amzn2023.0.1.aarch64
    bind-debugsource-9.18.49-1.amzn2023.0.1.aarch64
    bind-9.18.49-1.amzn2023.0.1.aarch64
    bind-utils-9.18.49-1.amzn2023.0.1.aarch64
    bind-libs-9.18.49-1.amzn2023.0.1.aarch64
    bind-utils-debuginfo-9.18.49-1.amzn2023.0.1.aarch64
    bind-devel-9.18.49-1.amzn2023.0.1.aarch64

noarch:
    bind-doc-9.18.49-1.amzn2023.0.1.noarch
    bind-license-9.18.49-1.amzn2023.0.1.noarch

src:
    bind-9.18.49-1.amzn2023.0.1.src

x86_64:
    bind-libs-debuginfo-9.18.49-1.amzn2023.0.1.x86_64
    bind-debugsource-9.18.49-1.amzn2023.0.1.x86_64
    bind-debuginfo-9.18.49-1.amzn2023.0.1.x86_64
    bind-libs-9.18.49-1.amzn2023.0.1.x86_64
    bind-devel-9.18.49-1.amzn2023.0.1.x86_64
    bind-dnssec-utils-debuginfo-9.18.49-1.amzn2023.0.1.x86_64
    bind-chroot-9.18.49-1.amzn2023.0.1.x86_64
    bind-utils-debuginfo-9.18.49-1.amzn2023.0.1.x86_64
    bind-utils-9.18.49-1.amzn2023.0.1.x86_64
    bind-dnssec-utils-9.18.49-1.amzn2023.0.1.x86_64
    bind-9.18.49-1.amzn2023.0.1.x86_64