Alpine: multiple ldb packages, multiple samba packages, pam-winbind: security update to 4.11.5-r0

medium Tenable Self-Hosted Container Security Plugin ID 424471

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- There is an issue in all samba 4.11.x versions before 4.11.5, all samba 4.10.x versions before 4.10.12 and
all samba 4.9.x versions before 4.9.18, where the removal of the right to create or modify a subtree would
not automatically be taken away on all domain controllers. (CVE-2019-14902)

- All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where
if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed
character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange.
In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to
terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a
crash there is harmless). (CVE-2019-14907)

- There is a use-after-free issue in all samba 4.9.x versions before 4.9.18, all samba 4.10.x versions
before 4.10.12 and all samba 4.11.x versions before 4.11.5, essentially due to a call to realloc() while
other local variables still point at the original buffer. (CVE-2019-19344)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-14902

https://security.alpinelinux.org/vuln/CVE-2019-14907

https://security.alpinelinux.org/vuln/CVE-2019-19344

Plugin Details

Severity: Medium

ID: 424471

Version: Revision 1.10

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2019-14902

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/21/2020

Reference Information

CVE: CVE-2019-14902, CVE-2019-14907, CVE-2019-19344

IAVA: 2020-A-0035-S