Alpine: multiple dnsdist packages: security update to 2.0.1-r0

high Tenable Cloud Security Plugin ID 436214

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which
could cause it to send data at a rate faster than the path might actually support. An unauthenticated
remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-
controlled data transfer towards itself. Then, it could manipulate the victim's congestion control state
by sending ACK frames exercising an opportunistic ACK attack; see RFC 9000 Section 21.4. The victim could
grow the congestion window beyond typical expectations and allow more bytes in flight than the path might
really support. Patches quiche 0.24.4 is the earliest version containing the fix for this issue.
(CVE-2025-4820)

- Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which
could cause it to send data at a rate faster than the path might actually support. An unauthenticated
remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-
controlled data transfer towards itself. Then, it could manipulate the victim's congestion control state
by sending ACK frames covering a large range of packet numbers (including packet numbers that had never
been sent); see RFC 9000 Section 19.3. The victim could grow the congestion window beyond typical
expectations and allow more bytes in flight than the path might really support. In extreme cases, the
window might grow beyond the limit of the internal variable's type, leading to an overflow panic. Patches
quiche 0.24.4 is the earliest version containing the fix for this issue. (CVE-2025-4821)

- Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing
RETIRE_CONNECTION_ID frames. QUIC connections possess a set of connection identifiers (IDs); see Section
5.1 of RFC 9000 https://datatracker.ietf.org/doc/html/rfc9000#section-5.1 . Once the QUIC handshake
completes, a local endpoint is responsible for issuing and retiring Connection IDs that are used by the
remote peer to populate the Destination Connection ID field in packets sent from remote to local. Each
Connection ID has a sequence number to ensure synchronization between peers. An unauthenticated remote
attacker can exploit this vulnerability by first completing a handshake and then sending a specially-
crafted set of frames that trigger a connection ID retirement in the victim. When the victim attempts to
send a packet containing RETIRE_CONNECTION_ID frames, Section 19.16 of RFC 9000
https://datatracker.ietf.org/doc/html/rfc9000#section-19.6 requires that the sequence number of the
retired connection ID must not be the same as the sequence number of the connection ID used by the packet.
In other words, a packet cannot contain a frame that retires itself. In scenarios such as path migration,
it is possible for there to be multiple active paths with different active connection IDs that could be
used to retire each other. The exploit triggered an unintentional behaviour of a quiche design feature
that supports retirement across paths while maintaining full connection ID synchronization, leading to an
infinite loop.This issue affects quiche: from 0.15.0 before 0.24.5. (CVE-2025-7054)

- A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the
internal architectures of some HTTP/2 implementations may result in excessive server resource consumption
leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset
them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting.
Streams reset by the server are considered closed at the protocol level, even though backend processing
continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on
a single connection. This CVE will be updated as affected product details are released. (CVE-2025-8671)

- In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over
HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that
triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. (CVE-2025-30187)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-30187

https://security.alpinelinux.org/vuln/CVE-2025-4820

https://security.alpinelinux.org/vuln/CVE-2025-4821

https://security.alpinelinux.org/vuln/CVE-2025-7054

https://security.alpinelinux.org/vuln/CVE-2025-8671

Plugin Details

Severity: High

ID: 436214

Version: Revision 1.3

Type: Local

Published: 12/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.7

Percentile: 96.49

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-7054

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 6/18/2025

Reference Information

CVE: CVE-2025-30187, CVE-2025-4820, CVE-2025-4821, CVE-2025-7054, CVE-2025-8671