0

I have installed the bind9 package in a Debian Docker image, and I ran a Trivy scan on that Docker image. The Trivy scan identified a vulnerability in the bind9 package. Therefore, I am attempting to resolve this issue by installing an older stable version with the version number mentioned in this page. But when I try to run the command apt-get update and apt-get install bind9=<versionnumber>, I got the error saying "Version versionnumber for bind9 was not found".

Is it possible to install another version of a package in Debian (old or newer from future release)? If not how we should usually fix the vulnerability?

And I ran the scan with Ubuntu image with bind9 and it didn't show any vulnerability. Therefore, I compared the bind9 versions between Debian and Ubuntu, they are different. Is it possible to install the bind9 package version in Debian that showed in Ubuntu?

noonenine
  • 29
  • 3
  • Other than a certain graphics drivers everything else has one version and one version only in the repositories. Maybe you need a more up-to-date Debian? – ChanganAuto May 20 '23 at 22:59
  • I’m using a latest version of Debian which is 11.7. – noonenine May 20 '23 at 23:29
  • And I see different versions of bind9 in Debian latest vs Ubuntu latest. – noonenine May 20 '23 at 23:29
  • *And I see different versions of bind9 in Debian latest vs Ubuntu latest* as you should because Ubuntu most of the times picks up packages from "testing", not from "stable". – ChanganAuto May 20 '23 at 23:42
  • These are the only versions available for debian https://qa.debian.org/madison.php?package=bind9 I don't know about Ubuntu. They are the same but debian isn't Ubuntu .. also look at https://tracker.debian.org/pkg/bind9 – Big Joe May 21 '23 at 00:56
  • *I compared the bind9 versions between Debian and Ubuntu, they are different* ... what versions are they - try adding bullseye-backports repo – Jaromanda X May 21 '23 at 03:47
  • Actually, I figured out the solution to install old version of Debian package. The version of bind9 in Debian is 1:9.18.12-0ubuntu0.22.04.1. The version of bind9 in Debian is 1:9.16.37-1~deb11u1. For Debian version, there is a vulnerability [CVE-2022-2881](https://security-tracker.debian.org/tracker/CVE-2022-2881). So I have added the Debian buster source list is /etc/apt/sources.list. But when I try to install bind9 version 1:9.11.5.P4+dfsg-5.1+deb10u8, I got below errors. How can I fix these dependencies? – noonenine May 21 '23 at 03:56
  • - Depends: bind9utils (= 1:9.11.5.P4+dfsg-5.1+deb10u8) - Depends: libbind9-161 (= 1:9.11.5.P4+dfsg-5.1+deb10u8) but 1:9.11.19+dfsg-2.1 is to be installed - Depends: libisccc161 (= 1:9.11.5.P4+dfsg-5.1+deb10u8) but 1:9.11.19+dfsg-2.1 is to be installed - Depends: libisccfg163 (= 1:9.11.5.P4+dfsg-5.1+deb10u8) but 1:9.11.19+dfsg-2.1 is to be installed - Depends: liblwres161 (= 1:9.11.5.P4+dfsg-5.1+deb10u8) but 1:9.11.19+dfsg-2.1 is to be installed – noonenine May 21 '23 at 03:58

1 Answers1

2

The Trivy scan identified a vulnerability in the bind9 package.

The Trivy scan is wrong. According to the page for this vulnerability on the Debian Security Tracker you linked to in a comment:

[bullseye] - bind9 (Flawed code present in 9.16 but masked by the way the httpd objects are reset between messages)

This vulnerability cannot be exploited because the vulnerability is caused by multiple consecutive reads of the statistics reusing the same httpd object, but this version resets the httpd objects so the vulnerability cannot be exploited.

Is it possible to install another version of a package in Debian (old or newer from future release)?

No.

There are many people who will tell you otherwise, and there are many people who will blindly tell you to just add the repository for the newer Debian release to your sources list.

Those people are not the ones who will waste days over days to fix your broken system – that will be you.

If not how we should usually fix the vulnerability?

You don't. That's the distribution's job and one of the main reasons to use a (supported) distribution in the first place.

Jörg W Mittag
  • 3,058
  • 18
  • 20