0

I have installed the bind9 package in a Debian Docker image, and I ran a Trivy scan on that Docker image. The Trivy scan identified a vulnerability in the bind9 package. Therefore, I am attempting to resolve this issue by installing an older stable version with the version number mentioned in this page. But when I try to run the command apt-get update and apt-get install bind9=<versionnumber>, I got the error saying "Version versionnumber for bind9 was not found".

Is it possible to install another version of a package in Debian (old or newer from future release)? If not how we should usually fix the vulnerability?

And I ran the scan with Ubuntu image with bind9 and it didn't show any vulnerability. Therefore, I compared the bind9 versions between Debian and Ubuntu, they are different. Is it possible to install the bind9 package version in Debian that showed in Ubuntu?

noonenine
  • 27
  • Other than a certain graphics drivers everything else has one version and one version only in the repositories. Maybe you need a more up-to-date Debian? – ChanganAuto May 20 '23 at 22:59
  • I’m using a latest version of Debian which is 11.7. – noonenine May 20 '23 at 23:29
  • And I see different versions of bind9 in Debian latest vs Ubuntu latest. – noonenine May 20 '23 at 23:29
  • And I see different versions of bind9 in Debian latest vs Ubuntu latest as you should because Ubuntu most of the times picks up packages from "testing", not from "stable". – ChanganAuto May 20 '23 at 23:42
  • These are the only versions available for debian https://qa.debian.org/madison.php?package=bind9 I don't know about Ubuntu. They are the same but debian isn't Ubuntu .. also look at https://tracker.debian.org/pkg/bind9 – Big Joe May 21 '23 at 00:56
  • I compared the bind9 versions between Debian and Ubuntu, they are different ... what versions are they - try adding bullseye-backports repo – Jaromanda X May 21 '23 at 03:47
  • Actually, I figured out the solution to install old version of Debian package. The version of bind9 in Debian is 1:9.18.12-0ubuntu0.22.04.1. The version of bind9 in Debian is 1:9.16.37-1~deb11u1. For Debian version, there is a vulnerability CVE-2022-2881. So I have added the Debian buster source list is /etc/apt/sources.list. But when I try to install bind9 version 1:9.11.5.P4+dfsg-5.1+deb10u8, I got below errors. How can I fix these dependencies? – noonenine May 21 '23 at 03:56

  • Depends: bind9utils (= 1:9.11.5.P4+dfsg-5.1+deb10u8)

  • Depends: libbind9-161 (= 1:9.11.5.P4+dfsg-5.1+deb10u8) but 1:9.11.19+dfsg-2.1 is to be installed

  • Depends: libisccc161 (= 1:9.11.5.P4+dfsg-5.1+deb10u8) but 1:9.11.19+dfsg-2.1 is to be installed

  • Depends: libisccfg163 (= 1:9.11.5.P4+dfsg-5.1+deb10u8) but 1:9.11.19+dfsg-2.1 is to be installed

  • Depends: liblwres161 (= 1:9.11.5.P4+dfsg-5.1+deb10u8) but 1:9.11.19+dfsg-2.1 is to be installed

    • – noonenine May 21 '23 at 03:58