Release date:
2026-05-22 15:10:08 UTC
Description:
- CVE-2026-33278: fix dangling pointer use-after-free in
dns_msg_deepcopy_region(); the buggy struct-assignment overwrote the
destination's freshly-allocated rrsets pointer with the source's pointer,
causing the resumed validator to dereference a dangling pointer after the
source region was freed. The vulnerable code was previously backported as
part of CVE-2023-50868.patch (NSEC3 closest-encloser fix).
- CVE-2026-33278: backport defense-in-depth NSEC3 parameter consistency
check (param_set_same) from the same upstream commit; rejects NSEC3
responses mixing records from distinct cryptographic chains.
Updated packages:
-
python2-unbound-1.7.3-15.amzn2.0.12.tuxcare.els2.x86_64.rpm
sha:cbd6afcc2127b5cb2ea55c4950cffb5424d164b0663ae642c4223c91d5a73f7a
-
python3-unbound-1.7.3-15.amzn2.0.12.tuxcare.els2.x86_64.rpm
sha:18ebdf7b17d502356b2eae56f933a1f93c631c3b254c20be1b78537e6bc605f3
-
unbound-1.7.3-15.amzn2.0.12.tuxcare.els2.x86_64.rpm
sha:65dc48f835e8d7db1761df548f51e3b32865abb9b0b2829310f3617da7ab768c
-
unbound-devel-1.7.3-15.amzn2.0.12.tuxcare.els2.x86_64.rpm
sha:d6b890c119f647e11e6c83e8bbca917962df76315ad9b3a285ee9719c0845fc0
-
unbound-libs-1.7.3-15.amzn2.0.12.tuxcare.els2.i686.rpm
sha:4c47f36195940d9b8f954843b0e4d18bf23bc744ff1ddbcc3ead4094e2e8c4e1
-
unbound-libs-1.7.3-15.amzn2.0.12.tuxcare.els2.x86_64.rpm
sha:18e031583bbe259b1e6a4efc0e8bd48ec5c88d961cb0f97db900f2588e7f7a6d
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
