CVE-2015-7575

Published: 31 December 2015

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

Priority

CVSS 3 base score: 5.9

Status

Package	Release	Status
firefox Launchpad, Ubuntu, Debian	artful	Released (43.0.4+build3-0ubuntu1)
	bionic	Released (43.0.4+build3-0ubuntu1)
	cosmic	Released (43.0.4+build3-0ubuntu1)
	disco	Released (43.0.4+build3-0ubuntu1)
	precise	Does not exist (precise was released [43.0.4+build3-0ubuntu0.12.04.1])
	trusty	Does not exist (trusty was released [43.0.4+build3-0ubuntu0.14.04.1])
	upstream	Released (43.0.2)
	vivid	Released (43.0.4+build3-0ubuntu0.15.04.1)
	wily	Released (43.0.4+build3-0ubuntu0.15.10.1)
	xenial	Released (43.0.4+build3-0ubuntu1)
	yakkety	Released (43.0.4+build3-0ubuntu1)
	zesty	Released (43.0.4+build3-0ubuntu1)
gnutls26 Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	precise	Released (2.12.14-5ubuntu3.11)
	trusty	Released (2.12.23-12ubuntu2.4)
	upstream	Needs triage
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
gnutls28 Launchpad, Ubuntu, Debian	artful	Not vulnerable (3.3.18-1ubuntu1)
	bionic	Not vulnerable (3.3.18-1ubuntu1)
	cosmic	Not vulnerable (3.3.18-1ubuntu1)
	disco	Not vulnerable (3.3.18-1ubuntu1)
	precise	Does not exist (precise was needed)
	trusty	Does not exist (trusty was needed)
	upstream	Released (3.4.1,3.3.15)
	vivid	Released (3.3.8-3ubuntu3.2)
	wily	Not vulnerable (3.3.15-5ubuntu2)
	xenial	Not vulnerable (3.3.18-1ubuntu1)
	yakkety	Not vulnerable (3.3.18-1ubuntu1)
	zesty	Not vulnerable (3.3.18-1ubuntu1)
mbedtls Launchpad, Ubuntu, Debian	artful	Not vulnerable (2.2.1-2)
	bionic	Not vulnerable (2.2.1-2)
	cosmic	Not vulnerable (2.2.1-2)
	disco	Not vulnerable (2.2.1-2)
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (2.2.1-1)
	wily	Does not exist
	xenial	Not vulnerable (2.2.1-2)
	yakkety	Not vulnerable (2.2.1-2)
	zesty	Not vulnerable (2.2.1-2)
nss Launchpad, Ubuntu, Debian	artful	Not vulnerable (2:3.21-1ubuntu2)
	bionic	Not vulnerable (2:3.21-1ubuntu2)
	cosmic	Not vulnerable (2:3.21-1ubuntu2)
	disco	Not vulnerable (2:3.21-1ubuntu2)
	precise	Released (3.19.2.1-0ubuntu0.12.04.2)
	trusty	Released (2:3.19.2.1-0ubuntu0.14.04.2)
	upstream	Released (2:3.21-1)
	vivid	Released (2:3.19.2.1-0ubuntu0.15.04.2)
	wily	Released (2:3.19.2.1-0ubuntu0.15.10.2)
	xenial	Not vulnerable (2:3.21-1ubuntu2)
	yakkety	Not vulnerable (2:3.21-1ubuntu2)
	zesty	Not vulnerable (2:3.21-1ubuntu2)
openjdk-6 Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	precise	Does not exist (precise was released [6b38-1.13.10-0ubuntu0.12.04.1])
	trusty	Does not exist (trusty was released [6b38-1.13.10-0ubuntu0.14.04.1])
	upstream	Needs triage
	vivid	Released (6b38-1.13.10-0ubuntu0.15.04.1)
	wily	Released (6b38-1.13.10-0ubuntu0.15.10.1)
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
openjdk-7 Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	precise	Does not exist (precise was released [7u95-2.6.4-0ubuntu0.12.04.1])
	trusty	Does not exist (trusty was released [7u95-2.6.4-0ubuntu0.14.04.1])
	upstream	Needs triage
	vivid	Released (7u95-2.6.4-0ubuntu0.15.04.1)
	wily	Released (7u95-2.6.4-0ubuntu0.15.10.1)
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
openjdk-8 Launchpad, Ubuntu, Debian	artful	Not vulnerable (8u72-b15-1)
	bionic	Not vulnerable (8u72-b15-1)
	cosmic	Not vulnerable (8u72-b15-1)
	disco	Not vulnerable (8u72-b15-1)
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (8u72-b15-1)
	vivid	Ignored (reached end-of-life)
	wily	Released (8u91-b14-0ubuntu4~15.10.1)
	xenial	Not vulnerable (8u72-b15-1)
	yakkety	Not vulnerable (8u72-b15-1)
	zesty	Not vulnerable (8u72-b15-1)
openssl Launchpad, Ubuntu, Debian	artful	Not vulnerable (1.0.2e-1ubuntu1)
	bionic	Not vulnerable (1.0.2e-1ubuntu1)
	cosmic	Not vulnerable (1.0.2e-1ubuntu1)
	disco	Not vulnerable (1.0.2e-1ubuntu1)
	precise	Released (1.0.1-4ubuntu5.33)
	trusty	Not vulnerable (1.0.1f-1ubuntu2.16)
	upstream	Released (1.0.1f)
	vivid	Not vulnerable (1.0.1f-1ubuntu11.5)
	wily	Not vulnerable (1.0.2d-0ubuntu1.2)
	xenial	Not vulnerable (1.0.2e-1ubuntu1)
	yakkety	Not vulnerable (1.0.2e-1ubuntu1)
	zesty	Not vulnerable (1.0.2e-1ubuntu1)
openssl098 Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	precise	Does not exist (precise was not-affected)
	trusty	Does not exist (trusty was not-affected)
	upstream	Needs triage
	vivid	Not vulnerable
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
polarssl Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	precise	Does not exist (precise was needed)
	trusty	Does not exist (trusty was needed)
	upstream	Released (1.2.19,1.3.16)
	vivid	Ignored (reached end-of-life)
	wily	Ignored (reached end-of-life)
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist
thunderbird Launchpad, Ubuntu, Debian	artful	Released (1:38.6.0+build1-0ubuntu1)
	bionic	Released (1:38.6.0+build1-0ubuntu1)
	cosmic	Released (1:38.6.0+build1-0ubuntu1)
	disco	Released (1:38.6.0+build1-0ubuntu1)
	precise	Does not exist (precise was released [1:38.6.0+build1-0ubuntu0.12.04.1])
	trusty	Does not exist (trusty was released [1:38.6.0+build1-0ubuntu0.14.04.1])
	upstream	Released (38.6.0)
	vivid	Ignored (reached end-of-life)
	wily	Released (1:38.6.0+build1-0ubuntu0.15.10.1)
	xenial	Released (1:38.6.0+build1-0ubuntu1)
	yakkety	Released (1:38.6.0+build1-0ubuntu1)
	zesty	Released (1:38.6.0+build1-0ubuntu1)

Notes

Author	Note
mdeslaur	This is called "SLOTH"

References

Bugs

https://bugzilla.redhat.com/show_bug.cgi?id=1289841

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›