Alpine: multiple prosody packages: security update to 0.11.9-r0

high Tenable Cloud Security Plugin ID 406589

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default,
even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the
server's bandwidth. (CVE-2021-32917)

- An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote
unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua
5.3. (CVE-2021-32918)

- An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in
mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly
authenticate remote server certificates, allowing a remote server to impersonate another server (when this
option is enabled). (CVE-2021-32919)

- Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.
(CVE-2021-32920)

- An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing
certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing
attack to reveal the contents of secret strings to an attacker. (CVE-2021-32921)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-32917

https://security.alpinelinux.org/vuln/CVE-2021-32918

https://security.alpinelinux.org/vuln/CVE-2021-32919

https://security.alpinelinux.org/vuln/CVE-2021-32920

https://security.alpinelinux.org/vuln/CVE-2021-32921

Plugin Details

Severity: High

ID: 406589

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-32921

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2021-32919

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/13/2021

Reference Information

CVE: CVE-2021-32917, CVE-2021-32918, CVE-2021-32919, CVE-2021-32920, CVE-2021-32921