| Name | CVE-2021-3618 |
| Description | ALPACA is an application layer protocol content confusion attack, expl ... |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more) |
| Debian Bugs | 991328, 991329, 991331 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| nginx (PTS) | buster, buster (security) | 1.14.2-2+deb10u4 | vulnerable |
| bullseye | 1.18.0-6.1 | vulnerable |
| bookworm, sid | 1.20.2-2 | fixed |
| sendmail (PTS) | buster | 8.15.2-14~deb10u1 | vulnerable |
| bullseye | 8.15.2-22 | vulnerable |
| bookworm, sid | 8.17.1.9-1 | vulnerable |
| vsftpd (PTS) | buster, bullseye | 3.0.3-12 | vulnerable |
| bookworm, sid | 3.0.3-13 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
[bullseye] - nginx <no-dsa> (Minor issue)
[buster] - nginx <no-dsa> (Minor issue)
[stretch] - nginx <no-dsa> (Minor issue)
[bullseye] - vsftpd <no-dsa> (Minor issue)
[buster] - vsftpd <no-dsa> (Minor issue)
[stretch] - vsftpd <no-dsa> (Minor issue)
[bullseye] - sendmail <no-dsa> (Minor issue)
[buster] - sendmail <no-dsa> (Minor issue)
[stretch] - sendmail <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1975623
https://alpaca-attack.com/
Generic TLS protocol issue, some applications have released mitigations:
nginx: http://hg.nginx.org/nginx/rev/ec1071830799
vsftpd: https://security.appspot.com/vsftpd/Changelog.txt (3.0.4)
* Close the control connection after 10 unknown commands pre-login.
* Reject any TLS ALPN advertisement that's not 'ftp'.
* Add ssl_sni_hostname option to require a match on incoming SNI hostname.
sendmail: Fixed in 3.16.1: https://marc.info/?l=sendmail-announce&m=159394546814125&w=2
exim4 has config option: https://lists.exim.org/lurker/message/20210609.200324.f0e073ed.el.html