Alpine: gnupg1: security update to 1.4.18-r0 (deprecated)

medium Tenable Self-Hosted Container Security Plugin ID 401117

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal
decryption, which allows physically proximate attackers to obtain the server's private key by determining
factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.
(CVE-2014-3591)

- The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain
sensitive information by leveraging timing differences when accessing a pre-computed table during modular
exponentiation, related to a "Last-Level Cache Side-Channel Attack." (CVE-2015-0837)

See Also

https://git.alpinelinux.org/aports/commit/?id=912394b5680033130b22c9790c18b65d40d62af8

https://git.alpinelinux.org/aports/commit/?id=c87453388fd46eaa8db5bad0b17632383567c359

Plugin Details

Severity: Medium

ID: 401117

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2015-0837

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/28/2015

Vulnerability Publication Date: 2/27/2015

Reference Information

CVE: CVE-2014-3591, CVE-2015-0837

BID: 73064, 73066