Alpine: multiple pdns packages: security update to 5.0.4-r0

critical Tenable Self-Hosted Container Security Plugin ID 440773

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An attacker can send a notify request that causes a new secondary domain to be added to the bind backend,
but causes said backend to update its configuration to an invalid one, leading to the backend no longer
able to run on the next restart, requiring manual operation to fix it. (CVE-2026-33608)

- An attacker can send a web request that causes unlimited memory allocation in the internal web server,
leading to a denial of service. The internal web server is disabled by default. (CVE-2026-33257,
CVE-2026-33260)

- Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of
internal domain subtrees. (CVE-2026-33609)

Solution

Update the pdns library and its related packages to version 5.0.4-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-33257

https://security.alpinelinux.org/vuln/CVE-2026-33260

https://security.alpinelinux.org/vuln/CVE-2026-33608

https://security.alpinelinux.org/vuln/CVE-2026-33609

https://security.alpinelinux.org/vuln/CVE-2026-33610

https://security.alpinelinux.org/vuln/CVE-2026-33611

Plugin Details

Severity: Critical

ID: 440773

Version: Revision 1.7

Type: Local

Published: 4/23/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-33608

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/22/2026

Reference Information

CVE: CVE-2026-33257, CVE-2026-33260, CVE-2026-33608, CVE-2026-33609, CVE-2026-33610, CVE-2026-33611