CVE-2015-7575
Published: 31 December 2015
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
Priority
Medium
CVSS 3 base score: 5.9
Status
| Package | Release | Status |
|---|---|---|
|
firefox Launchpad, Ubuntu, Debian |
Upstream |
Released
(43.0.2)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(43.0.4+build3-0ubuntu1)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(43.0.4+build3-0ubuntu1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [43.0.4+build3-0ubuntu0.14.04.1])
|
|
|
gnutls26 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(2.12.23-12ubuntu2.4)
|
|
|
Patches: Upstream: https://gitlab.com/gnutls/gnutls/commit/778b4825c4e9fbd087f6fd5e3c94e547b93ae10e |
||
|
gnutls28 Launchpad, Ubuntu, Debian |
Upstream |
Released
(3.4.1,3.3.15)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(3.3.18-1ubuntu1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was needed)
|
|
|
Patches: Upstream: https://gitlab.com/gnutls/gnutls/commit/6ef0d5dd3cbd5dfc1bdc05f1d5ce918d04d23752 Upstream: https://gitlab.com/gnutls/gnutls/commit/1e013f4c660fa79c2398dbcfd4f0e054c724c5ec Upstream: https://gitlab.com/gnutls/gnutls/commit/a8076fa599f0a37f8e12e30eeadd50a0ea3c67b7 Upstream: https://gitlab.com/gnutls/gnutls/commit/3d333e59621f6cf9381c846c405b23d79020d031 Upstream: https://gitlab.com/gnutls/gnutls/commit/20ba9c563c435b20ce5000fe4f831a07a2a6a0cf |
||
|
mbedtls Launchpad, Ubuntu, Debian |
Upstream |
Released
(2.2.1-1)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(2.2.1-2)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(2.2.1-2)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
nss Launchpad, Ubuntu, Debian |
Upstream |
Released
(2:3.21-1)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(2:3.19.2.1-0ubuntu0.14.04.2)
|
|
|
Patches: Upstream: https://hg.mozilla.org/projects/nss/rev/94e1157f3fbb (3.19.2) Upstream: https://hg.mozilla.org/projects/nss/rev/891676aa0d85 (3.20) |
||
|
openjdk-6 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [6b38-1.13.10-0ubuntu0.14.04.1])
|
|
|
openjdk-7 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [7u95-2.6.4-0ubuntu0.14.04.1])
|
|
|
openjdk-8 Launchpad, Ubuntu, Debian |
Upstream |
Released
(8u72-b15-1)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(8u72-b15-1)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(8u72-b15-1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
openssl Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.0.1f)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(1.0.2e-1ubuntu1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
(1.0.1f-1ubuntu2.16)
|
|
|
Patches: Upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=45473632c54947859a731dfe2db087c002ef7aa7 Upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=5e1ff664f95ab4c9176b3e86b5111e5777bad61a (1.0.1) |
||
|
openssl098 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was not-affected)
|
|
|
polarssl Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.2.19,1.3.16)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was needed)
|
|
|
thunderbird Launchpad, Ubuntu, Debian |
Upstream |
Released
(38.6.0)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(1:38.6.0+build1-0ubuntu1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [1:38.6.0+build1-0ubuntu0.14.04.1])
|
|
Notes
| Author | Note |
|---|---|
| mdeslaur | This is called "SLOTH" |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575
- https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/
- http://www.mitls.org/pages/attacks/SLOTH
- http://www.gnutls.org/security.html#GNUTLS-SA-2015-2
- http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html
- https://usn.ubuntu.com/usn/usn-2863-1
- https://usn.ubuntu.com/usn/usn-2864-1
- https://usn.ubuntu.com/usn/usn-2865-1
- https://usn.ubuntu.com/usn/usn-2866-1
- https://usn.ubuntu.com/usn/usn-2884-1
- http://blog.fuseyism.com/index.php/2016/01/25/security-icedtea-1-13-10-for-openjdk-6-released/
- https://tls.mbed.org/tech-updates/releases/mbedtls-2.2.1-2.1.4-1.3.16-and-polarssl.1.2.19-released
- https://usn.ubuntu.com/usn/usn-2904-1
- NVD
- Launchpad
- Debian