Ubuntu alert USN-8293-1 (bind9)
| From: | noreply+usn-bot@canonical.com | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-8293-1] Bind vulnerabilities | |
| Date: | Thu, 21 May 2026 20:18:12 +0000 | |
| Message-ID: | <E1wQ9qO-00074w-UA@lists.ubuntu.com> |
========================================================================== Ubuntu Security Notice USN-8293-1 May 21, 2026 bind9 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Bind. Software Description: - bind9: Internet Domain Name Server Details: Vitaly Simonovich discovered that Bind could exhaust memory during GSS-API TKEY negotiation. A remote attacker could possibly use this issue to cause Bind to use excessive resources, leading to a denial of service. (CVE-2026-3039) Shuhan Zhang discovered that Bind incorrectly handled self-pointed glue records. A remote attacker could possibly use this issue to use Bind in denial of service amplification attacks against other systems. (CVE-2026-3592) Naresh Kandula Parmar discovered that Bind incorrectly handled memory in the DNS-over-HTTPS implementation. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-3593) It was discovered that Bind incorrectly handled DNS messages whose class was not IN. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2026-5946) Naoki Wakamatsu discovered that Bind incorrectly handled SIG(0) validation during a query flood. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-5947) Billy Baraja discovered that Bind had an unbounded resend loop in the resolver. A remote attacker could possibly use this issue to cause Bind to use excessive resources, leading to a denial of service. (CVE-2026-5950) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS bind9 1:9.20.18-1ubuntu2.1 Ubuntu 25.10 bind9 1:9.20.11-1ubuntu2.4 Ubuntu 24.04 LTS bind9 1:9.18.39-0ubuntu0.24.04.5 Ubuntu 22.04 LTS bind9 1:9.18.39-0ubuntu0.22.04.4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8293-1 CVE-2026-3039, CVE-2026-3592, CVE-2026-3593, CVE-2026-5946, CVE-2026-5947, CVE-2026-5950 Package Information: https://launchpad.net/ubuntu/+source/bind9/1:9.20.18-1ubu... https://launchpad.net/ubuntu/+source/bind9/1:9.20.11-1ubu... https://launchpad.net/ubuntu/+source/bind9/1:9.18.39-0ubu... https://launchpad.net/ubuntu/+source/bind9/1:9.18.39-0ubu...
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmoPaEoACgkQcpJm3tlz hgHP7Q/8C5Ig1eY4jdx0+trYRxP8G8rsR3suInnLBP5MYOn5Qzitl57hrvCZ8ag5 Dvm/UCkRN43eTTjJDNlzGqiLE0NE7X3rmF71cOiQrgqCdHTEbr//ZSX8iwlQDSyC J9pe/Rhsrq2WtuaYbc2a2/ODOcaHcNkbZUVyoOKyJ1oeWYWHi/LN07rWSY+oXwWA H0pduqZqdicMqhaccXkDidHyakVlz4T1R5es2QJRPPcNjGPWnTj9py3TNT1tDQ9/ hoeuUzOFVAr8yRr2lsPLmMhHAJcaYBh82UgwCfYNJisMM3x5dJd8mdbprvvZzZ9b jzOYf2oimfTP/1Q4Ub9KJiMYE3PVx7BjrzJhoWX36YiZemW1KdAj8y5QXhBLNor2 3wzPe6lwQqRMQeUZmHxhN0pSTqtkaYNxtmz8CSqdbhXPCwrS3Jy3RSmkQePADY2C PZtw4gWrhCNntLZaSd+nsQtaMaqUBezEdwPx4dlBE9w4EH9d3jyFBRzTy6nH+NWa srAsbNX17/z/4t7m+5zwYBJT8e/2uSH3MORo9weRjL8+AcAj0X+iwlFMi6bVkZWs 9c3rHSIK6vdp6QXSEncbjA8H7isp90eAmL2CscwFiAr3a1v7v7Ev2mZgKfxRGmsN TlfGnu7Dr22sN02QcNBLYU+Woa0AC5swL8k02MJkfMPr5kR9IEg= =Nx+0 -----END PGP SIGNATURE-----