CVE-2015-7575

Published: 31 December 2015

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (43.0.2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (43.0.4+build3-0ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (43.0.4+build3-0ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [43.0.4+build3-0ubuntu0.14.04.1])
gnutls26
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.12.23-12ubuntu2.4)
Patches:
Upstream: https://gitlab.com/gnutls/gnutls/commit/778b4825c4e9fbd087f6fd5e3c94e547b93ae10e
gnutls28
Launchpad, Ubuntu, Debian
Upstream
Released (3.4.1,3.3.15)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.3.18-1ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(3.3.18-1ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://gitlab.com/gnutls/gnutls/commit/6ef0d5dd3cbd5dfc1bdc05f1d5ce918d04d23752
Upstream: https://gitlab.com/gnutls/gnutls/commit/1e013f4c660fa79c2398dbcfd4f0e054c724c5ec
Upstream: https://gitlab.com/gnutls/gnutls/commit/a8076fa599f0a37f8e12e30eeadd50a0ea3c67b7
Upstream: https://gitlab.com/gnutls/gnutls/commit/3d333e59621f6cf9381c846c405b23d79020d031
Upstream: https://gitlab.com/gnutls/gnutls/commit/20ba9c563c435b20ce5000fe4f831a07a2a6a0cf
mbedtls
Launchpad, Ubuntu, Debian
Upstream
Released (2.2.1-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(2.2.1-2)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(2.2.1-2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

nss
Launchpad, Ubuntu, Debian
Upstream
Released (2:3.21-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(2:3.21-1ubuntu2)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(2:3.21-1ubuntu2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2:3.19.2.1-0ubuntu0.14.04.2)
Patches:
Upstream: https://hg.mozilla.org/projects/nss/rev/94e1157f3fbb (3.19.2)
Upstream: https://hg.mozilla.org/projects/nss/rev/891676aa0d85 (3.20)
openjdk-6
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [6b38-1.13.10-0ubuntu0.14.04.1])
openjdk-7
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [7u95-2.6.4-0ubuntu0.14.04.1])
openjdk-8
Launchpad, Ubuntu, Debian
Upstream
Released (8u72-b15-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(8u72-b15-1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(8u72-b15-1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

openssl
Launchpad, Ubuntu, Debian
Upstream
Released (1.0.1f)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.0.2e-1ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(1.0.2e-1ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(1.0.1f-1ubuntu2.16)
Patches:
Upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=45473632c54947859a731dfe2db087c002ef7aa7
Upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=5e1ff664f95ab4c9176b3e86b5111e5777bad61a (1.0.1)
openssl098
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected)
polarssl
Launchpad, Ubuntu, Debian
Upstream
Released (1.2.19,1.3.16)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
thunderbird
Launchpad, Ubuntu, Debian
Upstream
Released (38.6.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:38.6.0+build1-0ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:38.6.0+build1-0ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:38.6.0+build1-0ubuntu0.14.04.1])