CVE-2015-7575
Published: 31 December 2015
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
Notes
| Author | Note |
|---|---|
| mdeslaur | This is called "SLOTH" |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
firefox Launchpad, Ubuntu, Debian |
artful |
Released
(43.0.4+build3-0ubuntu1)
|
| bionic |
Released
(43.0.4+build3-0ubuntu1)
|
|
| cosmic |
Released
(43.0.4+build3-0ubuntu1)
|
|
| disco |
Released
(43.0.4+build3-0ubuntu1)
|
|
| precise |
Does not exist
(precise was released [43.0.4+build3-0ubuntu0.12.04.1])
|
|
| trusty |
Does not exist
(trusty was released [43.0.4+build3-0ubuntu0.14.04.1])
|
|
| upstream |
Released
(43.0.2)
|
|
| vivid |
Released
(43.0.4+build3-0ubuntu0.15.04.1)
|
|
| wily |
Released
(43.0.4+build3-0ubuntu0.15.10.1)
|
|
| xenial |
Released
(43.0.4+build3-0ubuntu1)
|
|
| yakkety |
Released
(43.0.4+build3-0ubuntu1)
|
|
| zesty |
Released
(43.0.4+build3-0ubuntu1)
|
|
|
gnutls26 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| precise |
Released
(2.12.14-5ubuntu3.11)
|
|
| trusty |
Released
(2.12.23-12ubuntu2.4)
|
|
| upstream |
Needs triage
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: https://gitlab.com/gnutls/gnutls/commit/778b4825c4e9fbd087f6fd5e3c94e547b93ae10e |
||
|
gnutls28 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(3.3.18-1ubuntu1)
|
| bionic |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
| cosmic |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
| disco |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
| precise |
Does not exist
(precise was needed)
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Released
(3.4.1,3.3.15)
|
|
| vivid |
Released
(3.3.8-3ubuntu3.2)
|
|
| wily |
Not vulnerable
(3.3.15-5ubuntu2)
|
|
| xenial |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
| yakkety |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
| zesty |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
|
Patches: upstream: https://gitlab.com/gnutls/gnutls/commit/6ef0d5dd3cbd5dfc1bdc05f1d5ce918d04d23752 upstream: https://gitlab.com/gnutls/gnutls/commit/1e013f4c660fa79c2398dbcfd4f0e054c724c5ec upstream: https://gitlab.com/gnutls/gnutls/commit/a8076fa599f0a37f8e12e30eeadd50a0ea3c67b7 upstream: https://gitlab.com/gnutls/gnutls/commit/3d333e59621f6cf9381c846c405b23d79020d031 upstream: https://gitlab.com/gnutls/gnutls/commit/20ba9c563c435b20ce5000fe4f831a07a2a6a0cf |
||
|
mbedtls Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(2.2.1-2)
|
| bionic |
Not vulnerable
(2.2.1-2)
|
|
| cosmic |
Not vulnerable
(2.2.1-2)
|
|
| disco |
Not vulnerable
(2.2.1-2)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(2.2.1-1)
|
|
| wily |
Does not exist
|
|
| xenial |
Not vulnerable
(2.2.1-2)
|
|
| yakkety |
Not vulnerable
(2.2.1-2)
|
|
| zesty |
Not vulnerable
(2.2.1-2)
|
|
|
nss Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(2:3.21-1ubuntu2)
|
| bionic |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
| cosmic |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
| disco |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
| precise |
Released
(3.19.2.1-0ubuntu0.12.04.2)
|
|
| trusty |
Released
(2:3.19.2.1-0ubuntu0.14.04.2)
|
|
| upstream |
Released
(2:3.21-1)
|
|
| vivid |
Released
(2:3.19.2.1-0ubuntu0.15.04.2)
|
|
| wily |
Released
(2:3.19.2.1-0ubuntu0.15.10.2)
|
|
| xenial |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
| yakkety |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
| zesty |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
|
Patches: upstream: https://hg.mozilla.org/projects/nss/rev/94e1157f3fbb (3.19.2) upstream: https://hg.mozilla.org/projects/nss/rev/891676aa0d85 (3.20) |
||
|
openjdk-6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| precise |
Does not exist
(precise was released [6b38-1.13.10-0ubuntu0.12.04.1])
|
|
| trusty |
Does not exist
(trusty was released [6b38-1.13.10-0ubuntu0.14.04.1])
|
|
| upstream |
Needs triage
|
|
| vivid |
Released
(6b38-1.13.10-0ubuntu0.15.04.1)
|
|
| wily |
Released
(6b38-1.13.10-0ubuntu0.15.10.1)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
openjdk-7 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| precise |
Does not exist
(precise was released [7u95-2.6.4-0ubuntu0.12.04.1])
|
|
| trusty |
Does not exist
(trusty was released [7u95-2.6.4-0ubuntu0.14.04.1])
|
|
| upstream |
Needs triage
|
|
| vivid |
Released
(7u95-2.6.4-0ubuntu0.15.04.1)
|
|
| wily |
Released
(7u95-2.6.4-0ubuntu0.15.10.1)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
openjdk-8 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(8u72-b15-1)
|
| bionic |
Not vulnerable
(8u72-b15-1)
|
|
| cosmic |
Not vulnerable
(8u72-b15-1)
|
|
| disco |
Not vulnerable
(8u72-b15-1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8u72-b15-1)
|
|
| vivid |
Ignored
(reached end-of-life)
|
|
| wily |
Released
(8u91-b14-0ubuntu4~15.10.1)
|
|
| xenial |
Not vulnerable
(8u72-b15-1)
|
|
| yakkety |
Not vulnerable
(8u72-b15-1)
|
|
| zesty |
Not vulnerable
(8u72-b15-1)
|
|
|
openssl Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(1.0.2e-1ubuntu1)
|
| bionic |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
| cosmic |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
| disco |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
| precise |
Released
(1.0.1-4ubuntu5.33)
|
|
| trusty |
Not vulnerable
(1.0.1f-1ubuntu2.16)
|
|
| upstream |
Released
(1.0.1f)
|
|
| vivid |
Not vulnerable
(1.0.1f-1ubuntu11.5)
|
|
| wily |
Not vulnerable
(1.0.2d-0ubuntu1.2)
|
|
| xenial |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
| yakkety |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
| zesty |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
|
Patches: upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=45473632c54947859a731dfe2db087c002ef7aa7 upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=5e1ff664f95ab4c9176b3e86b5111e5777bad61a (1.0.1) |
||
|
openssl098 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| precise |
Does not exist
(precise was not-affected)
|
|
| trusty |
Does not exist
(trusty was not-affected)
|
|
| upstream |
Needs triage
|
|
| vivid |
Not vulnerable
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
polarssl Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| precise |
Does not exist
(precise was needed)
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Released
(1.2.19,1.3.16)
|
|
| vivid |
Ignored
(reached end-of-life)
|
|
| wily |
Ignored
(reached end-of-life)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
thunderbird Launchpad, Ubuntu, Debian |
artful |
Released
(1:38.6.0+build1-0ubuntu1)
|
| bionic |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
| cosmic |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
| disco |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
| precise |
Does not exist
(precise was released [1:38.6.0+build1-0ubuntu0.12.04.1])
|
|
| trusty |
Does not exist
(trusty was released [1:38.6.0+build1-0ubuntu0.14.04.1])
|
|
| upstream |
Released
(38.6.0)
|
|
| vivid |
Ignored
(reached end-of-life)
|
|
| wily |
Released
(1:38.6.0+build1-0ubuntu0.15.10.1)
|
|
| xenial |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
| yakkety |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
| zesty |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.9 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/
- http://www.mitls.org/pages/attacks/SLOTH
- http://www.gnutls.org/security.html#GNUTLS-SA-2015-2
- http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html
- https://ubuntu.com/security/notices/USN-2863-1
- https://ubuntu.com/security/notices/USN-2864-1
- https://ubuntu.com/security/notices/USN-2865-1
- https://ubuntu.com/security/notices/USN-2866-1
- https://ubuntu.com/security/notices/USN-2884-1
- http://blog.fuseyism.com/index.php/2016/01/25/security-icedtea-1-13-10-for-openjdk-6-released/
- https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released
- https://ubuntu.com/security/notices/USN-2904-1
- NVD
- Launchpad
- Debian