ALAS2023-2026-1808

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1808
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08

Severity: Medium

References: CVE-2026-42011 CVE-2026-42012 CVE-2026-42013 CVE-2026-5419
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Permitted name constraints were wrongfully ignored when prior CAs only had excluded name constraints, resulting in a name constraint bypass. The issue was reported in the issue tracker as #1824 by Haruto Kimura (Stella). (CVE-2026-42011)

Certificates containing URI or SRV Subject Alternative Names would fall back to checking DNS hostnames against Common Name, allowing potential misuse of such certificates beyond their original purpose. The issue was reported in the issue tracker as #1802 by Oleh Konko (1seal). (CVE-2026-42012)

Validation of certificates with oversized Subject Alternative Names would fall back to checking DNS hostnames against Common Name. (CVE-2026-42013)

The PKCS#7 padding check performed during decryption was not constant-time, potentially leaking information about the padding bytes through timing differences. The issue was reported in the issue tracker as #1815 by Doria Tang of Stony Brook University.
Recommendation: To address the issue found, upgrade to GnuTLS 3.8.13 or later versions. (CVE-2026-5419)

Affected Packages:

gnutls

Issue Correction:
Run dnf update gnutls --releasever 2023.12.20260608 or dnf update --advisory ALAS2023-2026-1808 --releasever 2023.12.20260608 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    gnutls-debuginfo-3.8.10-4.amzn2023.0.2.aarch64
    gnutls-dane-debuginfo-3.8.10-4.amzn2023.0.2.aarch64
    gnutls-c++-3.8.10-4.amzn2023.0.2.aarch64
    gnutls-utils-debuginfo-3.8.10-4.amzn2023.0.2.aarch64
    gnutls-c++-debuginfo-3.8.10-4.amzn2023.0.2.aarch64
    gnutls-3.8.10-4.amzn2023.0.2.aarch64
    gnutls-dane-3.8.10-4.amzn2023.0.2.aarch64
    gnutls-debugsource-3.8.10-4.amzn2023.0.2.aarch64
    gnutls-utils-3.8.10-4.amzn2023.0.2.aarch64
    gnutls-devel-3.8.10-4.amzn2023.0.2.aarch64

src:
    gnutls-3.8.10-4.amzn2023.0.2.src

x86_64:
    gnutls-debuginfo-3.8.10-4.amzn2023.0.2.x86_64
    gnutls-utils-debuginfo-3.8.10-4.amzn2023.0.2.x86_64
    gnutls-c++-debuginfo-3.8.10-4.amzn2023.0.2.x86_64
    gnutls-dane-debuginfo-3.8.10-4.amzn2023.0.2.x86_64
    gnutls-dane-3.8.10-4.amzn2023.0.2.x86_64
    gnutls-utils-3.8.10-4.amzn2023.0.2.x86_64
    gnutls-c++-3.8.10-4.amzn2023.0.2.x86_64
    gnutls-3.8.10-4.amzn2023.0.2.x86_64
    gnutls-debugsource-3.8.10-4.amzn2023.0.2.x86_64
    gnutls-devel-3.8.10-4.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-42011, CVE-2026-42012, CVE-2026-42013, CVE-2026-5419

Mitre: CVE-2026-42011, CVE-2026-42012, CVE-2026-42013, CVE-2026-5419