CVE-2021-30004

NameCVE-2021-30004
DescriptionIn wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wpa (PTS)jessie, jessie (lts)2.3-1+deb8u13vulnerable
stretch (security), stretch (lts), stretch2:2.4-1+deb9u9vulnerable
buster2:2.7+git20190128+0c1e29f-6+deb10u3vulnerable
buster (security)2:2.7+git20190128+0c1e29f-6+deb10u4vulnerable
bullseye2:2.9.0-21vulnerable
bookworm2:2.10-12vulnerable
sid, trixie2:2.10-21vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wpasource(unstable)(unfixed)unimportant

Notes

https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15
Issue only affects the "internal" TLS implementation (CONFIG_TLS=internal)
but Debian builds with CONFIG_TLS=openssl

Search for package or bug name: Reporting problems