Alpine: bind: security update to 9.11.5_p4-r0

high Tenable Cloud Security Plugin ID 403644

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued
after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The
intended (and documented) behavior is that if an operator has not specified a value for the "allow-
recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in
named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;"
(the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query"
(see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of
"allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly
set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change
#4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-
query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from
the "allow-query" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12,
9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1,
9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition. (CVE-2018-5738)

- A failure to free memory can occur when processing messages having a specific combination of EDNS options.
Versions affected are: BIND 9.10.7 -> 9.10.8-P1, 9.11.3 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions
9.10.7-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13
development branch are also affected. (CVE-2018-5744)

- "managed-keys" is a feature which allows a BIND resolver to automatically maintain the keys used by trust
anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys
feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if,
during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm.
Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions
9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13
development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for
vulnerability to CVE-2018-5745. (CVE-2018-5745)

- Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones
are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and
versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13
development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for
vulnerability to CVE-2019-6465. (CVE-2019-6465)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-5738

https://security.alpinelinux.org/vuln/CVE-2018-5744

https://security.alpinelinux.org/vuln/CVE-2018-5745

https://security.alpinelinux.org/vuln/CVE-2019-6465

Plugin Details

Severity: High

ID: 403644

Version: Revision 1.24

Type: Local

Published: 10/31/2023

Updated: 3/12/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2018-5738

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/18/2018

Reference Information

CVE: CVE-2018-5738, CVE-2018-5744, CVE-2018-5745, CVE-2019-6465

BID: 107125, 107140, 107142

IAVA: 2019-A-0069-S