Alpine: multiple bareos packages: security update to 19.2.8-r0

high Tenable Self-Hosted Container Security Plugin ID 403620

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director
without knowledge of the shared secret if the director allows client initiated connection and connects to
the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to the
director itself leading to the director responding to the replayed challenge. The response obtained is
then a valid reply to the directors original challenge. This is fixed in version 19.2.8. (CVE-2020-4042)

- In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a
malicious client to corrupt the director's memory via oversized digest strings sent during initialization
of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos
versions 19.2.8, 18.2.9 and 17.2.10. (CVE-2020-11061)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-11061

https://security.alpinelinux.org/vuln/CVE-2020-4042

Plugin Details

Severity: High

ID: 403620

Version: Revision 1.28

Type: Local

Published: 10/31/2023

Updated: 12/4/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 50.87

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2020-11061

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/10/2020

Reference Information

CVE: CVE-2020-11061, CVE-2020-4042