CVE-2021-32574

Name	CVE-2021-32574
Description	HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	991719

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
consul (PTS)	bullseye	1.8.7+dfsg1-2	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
consul	source	buster	(not affected)
consul	source	(unstable)	1.9.17+dfsg2-1			991719

Notes

[bullseye] - consul <no-dsa> (Minor issue)
[buster] - consul <not-affected> (Only affects 1.3.0 and later)
https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856
https://github.com/hashicorp/consul/pull/10619