Alpine: multiple bind packages: security update to 9.16.6-r0

medium Tenable Self-Hosted Container Security Plugin ID 423709

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3, An attacker who can establish a TCP connection with the server
and send data on that connection can exploit this to trigger the assertion failure, causing the server to
exit. (CVE-2020-8620)

- In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and
'forward first' then an attacker who can send queries to it may be able to trigger the condition that will
cause the server to crash. Servers that 'forward only' are not affected. (CVE-2020-8621)

- In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the
BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating
the server receiving the TSIG-signed request, could send a truncated response to that request, triggering
an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to
correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and
message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.
(CVE-2020-8622)

- In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the
BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted
query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with
"--enable-native-pkcs11" * be signing one or more zones with an RSA key * be able to receive queries from
a possible attacker (CVE-2020-8623)

- In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also
affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An
attacker who has been granted privileges to change a specific subset of the zone's content could abuse
these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-8620

https://security.alpinelinux.org/vuln/CVE-2020-8621

https://security.alpinelinux.org/vuln/CVE-2020-8622

https://security.alpinelinux.org/vuln/CVE-2020-8623

https://security.alpinelinux.org/vuln/CVE-2020-8624

Plugin Details

Severity: Medium

ID: 423709

Version: Revision 1.7

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2020-8624

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 8/20/2020

Reference Information

CVE: CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

IAVA: 2020-A-0385-S