Alpine: libspf2: security update to 1.2.11-r0

critical Tenable Cloud Security Plugin ID 424059

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to
execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a
crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c. The
vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional
configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2
with Postfix; older versions of spfquery relied on libspf2) but most often is not. (CVE-2021-33912)

- libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute
arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF
DNS record, because of SPF_record_expand_data in spf_expand.c. The amount of overflowed data depends on
the relationship between the length of an entire domain name and the length of its leftmost label. The
vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional
configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2
with Postfix; older versions of spfquery relied on libspf2) but most often is not. (CVE-2021-33913)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-33912

https://security.alpinelinux.org/vuln/CVE-2021-33913

Plugin Details

Severity: Critical

ID: 424059

Version: Revision 1.9

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.67

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-33913

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/19/2022

Reference Information

CVE: CVE-2021-33912, CVE-2021-33913