Alpine: multiple prosody packages: security update to 0.11.8-r0 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400218

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default,
even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the
server's bandwidth. (CVE-2021-32917)

- An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote
unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua
5.3. (CVE-2021-32918)

- An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in
mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly
authenticate remote server certificates, allowing a remote server to impersonate another server (when this
option is enabled). (CVE-2021-32919)

- Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.
(CVE-2021-32920)

- An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing
certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing
attack to reveal the contents of secret strings to an attacker. (CVE-2021-32921)

See Also

https://git.alpinelinux.org/aports/commit/?id=8092a9ac923a78350c34f39bf3ed07c4c2c33155

https://git.alpinelinux.org/aports/commit/?id=bf35fd3027da85bed80baf364ef2324fb933b293

Plugin Details

Severity: High

ID: 400218

Version: Revision 1.25

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-32921

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2021-32919

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/14/2021

Vulnerability Publication Date: 5/13/2021

Reference Information

CVE: CVE-2021-32917, CVE-2021-32918, CVE-2021-32919, CVE-2021-32920, CVE-2021-32921