Alpine: multiple cargo packages, multiple rust packages: security update to 1.26.0-r0

high Tenable Self-Hosted Container Security Plugin ID 424443

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package`
configuration key. Usage of the `package` key to rename dependencies in `Cargo.toml` is ignored in Rust
1.25.0 and prior. When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could
be squatted on crates.io to be a malicious package. This not only affects manifests that you write locally
yourself, but also manifests published to crates.io. Rust 1.0.0 through Rust 1.25.0 is affected by this
advisory because Cargo will ignore the `package` key in manifests. Rust 1.26.0 through Rust 1.30.0 are not
affected and typically will emit an error because the `package` key is unstable. Rust 1.31.0 and after are
not affected because Cargo understands the `package` key. Users of the affected versions are strongly
encouraged to update their compiler to the latest available one. Preventing this issue from happening
requires updating your compiler to be either Rust 1.26.0 or newer. There will be no point release for Rust
versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply linked patches to mitigate
the issue. (CVE-2019-16760)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-16760

Plugin Details

Severity: High

ID: 424443

Version: Revision 1.6

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2019-16760

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 9/30/2019

Reference Information

CVE: CVE-2019-16760