DescriptionALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs991328, 991329, 991331

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nginx (PTS)buster, buster (security)1.14.2-2+deb10u4vulnerable
bookworm, sid1.20.2-2fixed
sendmail (PTS)buster8.15.2-14~deb10u1vulnerable
bookworm, sid8.17.1.9-1vulnerable
vsftpd (PTS)buster, bullseye3.0.3-12vulnerable
bookworm, sid3.0.3-13vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[bullseye] - nginx <no-dsa> (Minor issue)
[buster] - nginx <no-dsa> (Minor issue)
[stretch] - nginx <no-dsa> (Minor issue)
[bullseye] - vsftpd <no-dsa> (Minor issue)
[buster] - vsftpd <no-dsa> (Minor issue)
[stretch] - vsftpd <no-dsa> (Minor issue)
[bullseye] - sendmail <no-dsa> (Minor issue)
[buster] - sendmail <no-dsa> (Minor issue)
[stretch] - sendmail <no-dsa> (Minor issue)
Generic TLS protocol issue, some applications have released mitigations:
vsftpd: (3.0.4)
* Close the control connection after 10 unknown commands pre-login.
* Reject any TLS ALPN advertisement that's not 'ftp'.
* Add ssl_sni_hostname option to require a match on incoming SNI hostname.
sendmail: Fixed in 3.16.1:
exim4 has config option:

Search for package or bug name: Reporting problems