CVE-2015-7575
Published: 31 December 2015
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
Priority
CVSS 3 base score: 5.9
Status
Package | Release | Status |
---|---|---|
firefox Launchpad, Ubuntu, Debian |
artful |
Released
(43.0.4+build3-0ubuntu1)
|
bionic |
Released
(43.0.4+build3-0ubuntu1)
|
|
cosmic |
Released
(43.0.4+build3-0ubuntu1)
|
|
disco |
Released
(43.0.4+build3-0ubuntu1)
|
|
precise |
Does not exist
(precise was released [43.0.4+build3-0ubuntu0.12.04.1])
|
|
trusty |
Does not exist
(trusty was released [43.0.4+build3-0ubuntu0.14.04.1])
|
|
upstream |
Released
(43.0.2)
|
|
vivid |
Released
(43.0.4+build3-0ubuntu0.15.04.1)
|
|
wily |
Released
(43.0.4+build3-0ubuntu0.15.10.1)
|
|
xenial |
Released
(43.0.4+build3-0ubuntu1)
|
|
yakkety |
Released
(43.0.4+build3-0ubuntu1)
|
|
zesty |
Released
(43.0.4+build3-0ubuntu1)
|
|
gnutls26 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
precise |
Released
(2.12.14-5ubuntu3.11)
|
|
trusty |
Released
(2.12.23-12ubuntu2.4)
|
|
upstream |
Needs triage
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
gnutls28 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(3.3.18-1ubuntu1)
|
bionic |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
cosmic |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
disco |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
precise |
Does not exist
(precise was needed)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(3.4.1,3.3.15)
|
|
vivid |
Released
(3.3.8-3ubuntu3.2)
|
|
wily |
Not vulnerable
(3.3.15-5ubuntu2)
|
|
xenial |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
yakkety |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
zesty |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
mbedtls Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(2.2.1-2)
|
bionic |
Not vulnerable
(2.2.1-2)
|
|
cosmic |
Not vulnerable
(2.2.1-2)
|
|
disco |
Not vulnerable
(2.2.1-2)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(2.2.1-1)
|
|
wily |
Does not exist
|
|
xenial |
Not vulnerable
(2.2.1-2)
|
|
yakkety |
Not vulnerable
(2.2.1-2)
|
|
zesty |
Not vulnerable
(2.2.1-2)
|
|
nss Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(2:3.21-1ubuntu2)
|
bionic |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
cosmic |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
disco |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
precise |
Released
(3.19.2.1-0ubuntu0.12.04.2)
|
|
trusty |
Released
(2:3.19.2.1-0ubuntu0.14.04.2)
|
|
upstream |
Released
(2:3.21-1)
|
|
vivid |
Released
(2:3.19.2.1-0ubuntu0.15.04.2)
|
|
wily |
Released
(2:3.19.2.1-0ubuntu0.15.10.2)
|
|
xenial |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
yakkety |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
zesty |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
openjdk-6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
precise |
Does not exist
(precise was released [6b38-1.13.10-0ubuntu0.12.04.1])
|
|
trusty |
Does not exist
(trusty was released [6b38-1.13.10-0ubuntu0.14.04.1])
|
|
upstream |
Needs triage
|
|
vivid |
Released
(6b38-1.13.10-0ubuntu0.15.04.1)
|
|
wily |
Released
(6b38-1.13.10-0ubuntu0.15.10.1)
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
openjdk-7 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
precise |
Does not exist
(precise was released [7u95-2.6.4-0ubuntu0.12.04.1])
|
|
trusty |
Does not exist
(trusty was released [7u95-2.6.4-0ubuntu0.14.04.1])
|
|
upstream |
Needs triage
|
|
vivid |
Released
(7u95-2.6.4-0ubuntu0.15.04.1)
|
|
wily |
Released
(7u95-2.6.4-0ubuntu0.15.10.1)
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
openjdk-8 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(8u72-b15-1)
|
bionic |
Not vulnerable
(8u72-b15-1)
|
|
cosmic |
Not vulnerable
(8u72-b15-1)
|
|
disco |
Not vulnerable
(8u72-b15-1)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(8u72-b15-1)
|
|
vivid |
Ignored
(reached end-of-life)
|
|
wily |
Released
(8u91-b14-0ubuntu4~15.10.1)
|
|
xenial |
Not vulnerable
(8u72-b15-1)
|
|
yakkety |
Not vulnerable
(8u72-b15-1)
|
|
zesty |
Not vulnerable
(8u72-b15-1)
|
|
openssl Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(1.0.2e-1ubuntu1)
|
bionic |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
cosmic |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
disco |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
precise |
Released
(1.0.1-4ubuntu5.33)
|
|
trusty |
Not vulnerable
(1.0.1f-1ubuntu2.16)
|
|
upstream |
Released
(1.0.1f)
|
|
vivid |
Not vulnerable
(1.0.1f-1ubuntu11.5)
|
|
wily |
Not vulnerable
(1.0.2d-0ubuntu1.2)
|
|
xenial |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
yakkety |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
zesty |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
openssl098 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
precise |
Does not exist
(precise was not-affected)
|
|
trusty |
Does not exist
(trusty was not-affected)
|
|
upstream |
Needs triage
|
|
vivid |
Not vulnerable
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
polarssl Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
precise |
Does not exist
(precise was needed)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(1.2.19,1.3.16)
|
|
vivid |
Ignored
(reached end-of-life)
|
|
wily |
Ignored
(reached end-of-life)
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
thunderbird Launchpad, Ubuntu, Debian |
artful |
Released
(1:38.6.0+build1-0ubuntu1)
|
bionic |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
cosmic |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
disco |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
precise |
Does not exist
(precise was released [1:38.6.0+build1-0ubuntu0.12.04.1])
|
|
trusty |
Does not exist
(trusty was released [1:38.6.0+build1-0ubuntu0.14.04.1])
|
|
upstream |
Released
(38.6.0)
|
|
vivid |
Ignored
(reached end-of-life)
|
|
wily |
Released
(1:38.6.0+build1-0ubuntu0.15.10.1)
|
|
xenial |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
yakkety |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
zesty |
Released
(1:38.6.0+build1-0ubuntu1)
|
Notes
Author | Note |
---|---|
mdeslaur | This is called "SLOTH" |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/
- http://www.mitls.org/pages/attacks/SLOTH
- http://www.gnutls.org/security.html#GNUTLS-SA-2015-2
- http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html
- https://ubuntu.com/security/notices/USN-2863-1
- https://ubuntu.com/security/notices/USN-2864-1
- https://ubuntu.com/security/notices/USN-2865-1
- https://ubuntu.com/security/notices/USN-2866-1
- https://ubuntu.com/security/notices/USN-2884-1
- http://blog.fuseyism.com/index.php/2016/01/25/security-icedtea-1-13-10-for-openjdk-6-released/
- https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released
- https://ubuntu.com/security/notices/USN-2904-1
- NVD
- Launchpad
- Debian