CVE-2021-30004

NameCVE-2021-30004
DescriptionIn wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wpa (PTS)stretch2:2.4-1+deb9u6vulnerable
stretch (security)2:2.4-1+deb9u9vulnerable
buster2:2.7+git20190128+0c1e29f-6+deb10u2vulnerable
buster (security)2:2.7+git20190128+0c1e29f-6+deb10u1vulnerable
bullseye, sid2:2.9.0-21vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wpasource(unstable)(unfixed)unimportant

Notes

https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15
Issue only affects the "internal" TLS implementation (CONFIG_TLS=internal)
but Debian builds with CONFIG_TLS=openssl

Search for package or bug name: Reporting problems