Alpine: multiple pdns packages: security update to 4.0.3-r0

medium Tenable Cloud Security Plugin ID 406233

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue has been found in PowerDNS Authoritative Server versions up to and including 3.4.10, 4.0.1
allowing an authorized user to crash the server by inserting a specially crafted record in a zone under
their control then sending a DNS query for that record. The issue is due to an integer overflow when
checking if the content of the record matches the expected size, allowing an attacker to cause a read past
the buffer boundary. (CVE-2016-2120)

- An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 3.7.4 and 4.0.4,
allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the PowerDNS server by
sending crafted DNS queries, which might result in a partial denial of service if the system becomes
overloaded. This issue is based on the fact that the PowerDNS server parses all records present in a query
regardless of whether they are needed or even legitimate. A specially crafted query containing a large
number of records can be used to take advantage of that behaviour. (CVE-2016-7068)

- An issue has been found in PowerDNS Authoritative Server before 3.4.11 and 4.0.2 allowing a remote,
unauthenticated attacker to cause a denial of service by opening a large number of TCP connections to the
web server. If the web server runs out of file descriptors, it triggers an exception and terminates the
whole PowerDNS process. While it's more complicated for an unauthorized attacker to make the web server
run out of file descriptors since its connection will be closed just after being accepted, it might still
be possible. (CVE-2016-7072)

- An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, allowing
an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient
validation of TSIG signatures. A missing check of the TSIG time and fudge values was found in
AXFRRetriever, leading to a possible replay attack. (CVE-2016-7073)

- An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, allowing
an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient
validation of TSIG signatures. A missing check that the TSIG record is the last one, leading to the
possibility of parsing records that are not covered by the TSIG signature. (CVE-2016-7074)

See Also

https://security.alpinelinux.org/vuln/CVE-2016-2120

https://security.alpinelinux.org/vuln/CVE-2016-7068

https://security.alpinelinux.org/vuln/CVE-2016-7072

https://security.alpinelinux.org/vuln/CVE-2016-7073

https://security.alpinelinux.org/vuln/CVE-2016-7074

Plugin Details

Severity: Medium

ID: 406233

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2016-7074

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/15/2016

Reference Information

CVE: CVE-2016-2120, CVE-2016-7068, CVE-2016-7072, CVE-2016-7073, CVE-2016-7074