SB2019112642 - Use of a broken or risky cryptographic algorithm in gnupg (Alpine package)
Published: November 26, 2019
Security Bulletin ID
SB2019112642
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2019-14855)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=4fce639e9b4ee255a7ae75426028a65c041daf3d
- https://git.alpinelinux.org/aports/commit/?id=e9819d25dc53379d45514e53f91014181e306ec3
- https://git.alpinelinux.org/aports/commit/?id=dc810e708ca64228344ca9d249529e253ad1ea71
- https://git.alpinelinux.org/aports/commit/?id=94ffa605a4208f620a3f267dd8c13bf7958d1e30