CVE-2015-7575

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
firefox	19.04 disco	Fixed 43.0.4+build3-0ubuntu1
	18.10 cosmic	Fixed 43.0.4+build3-0ubuntu1
	18.04 LTS bionic	Fixed 43.0.4+build3-0ubuntu1
	17.10 artful	Fixed 43.0.4+build3-0ubuntu1
	17.04 zesty	Fixed 43.0.4+build3-0ubuntu1
	16.10 yakkety	Fixed 43.0.4+build3-0ubuntu1
	16.04 LTS xenial	Fixed 43.0.4+build3-0ubuntu1
	15.10 wily	Fixed 43.0.4+build3-0ubuntu0.15.10.1
	15.04 vivid	Fixed 43.0.4+build3-0ubuntu0.15.04.1
	14.04 LTS trusty	Fixed 43.0.4+build3-0ubuntu0.14.04.1
	12.04 LTS precise	Fixed 43.0.4+build3-0ubuntu0.12.04.1
gnutls26	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	15.10 wily	Not in release
	15.04 vivid	Not in release
	14.04 LTS trusty	Fixed 2.12.23-12ubuntu2.4
	12.04 LTS precise	Fixed 2.12.14-5ubuntu3.11
gnutls28	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	17.10 artful	Not affected
	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Not affected
	15.04 vivid	Fixed 3.3.8-3ubuntu3.2
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Ignored
mbedtls	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	17.10 artful	Not affected
	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Not in release
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
nss	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	17.10 artful	Not affected
	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Fixed 2:3.19.2.1-0ubuntu0.15.10.2
	15.04 vivid	Fixed 2:3.19.2.1-0ubuntu0.15.04.2
	14.04 LTS trusty	Fixed 2:3.19.2.1-0ubuntu0.14.04.2
	12.04 LTS precise	Fixed 3.19.2.1-0ubuntu0.12.04.2
openjdk-6	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	15.10 wily	Fixed 6b38-1.13.10-0ubuntu0.15.10.1
	15.04 vivid	Fixed 6b38-1.13.10-0ubuntu0.15.04.1
	14.04 LTS trusty	Fixed 6b38-1.13.10-0ubuntu0.14.04.1
	12.04 LTS precise	Fixed 6b38-1.13.10-0ubuntu0.12.04.1
openjdk-7	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	15.10 wily	Fixed 7u95-2.6.4-0ubuntu0.15.10.1
	15.04 vivid	Fixed 7u95-2.6.4-0ubuntu0.15.04.1
	14.04 LTS trusty	Fixed 7u95-2.6.4-0ubuntu0.14.04.1
	12.04 LTS precise	Fixed 7u95-2.6.4-0ubuntu0.12.04.1
openjdk-8	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	17.10 artful	Not affected
	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Fixed 8u91-b14-0ubuntu4~15.10.1
	15.04 vivid	Ignored
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
openssl	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	17.10 artful	Not affected
	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Not affected
	15.04 vivid	Not affected
	14.04 LTS trusty	Not affected
	12.04 LTS precise	Fixed 1.0.1-4ubuntu5.33
openssl098	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	15.10 wily	Not in release
	15.04 vivid	Not affected
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not affected
polarssl	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	15.10 wily	Ignored
	15.04 vivid	Ignored
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Ignored
thunderbird	19.04 disco	Fixed 1:38.6.0+build1-0ubuntu1
	18.10 cosmic	Fixed 1:38.6.0+build1-0ubuntu1
	18.04 LTS bionic	Fixed 1:38.6.0+build1-0ubuntu1
	17.10 artful	Fixed 1:38.6.0+build1-0ubuntu1
	17.04 zesty	Fixed 1:38.6.0+build1-0ubuntu1
	16.10 yakkety	Fixed 1:38.6.0+build1-0ubuntu1
	16.04 LTS xenial	Fixed 1:38.6.0+build1-0ubuntu1
	15.10 wily	Fixed 1:38.6.0+build1-0ubuntu0.15.10.1
	15.04 vivid	Ignored
	14.04 LTS trusty	Fixed 1:38.6.0+build1-0ubuntu0.14.04.1
	12.04 LTS precise	Fixed 1:38.6.0+build1-0ubuntu0.12.04.1

Notes

mdeslaur

This is called "SLOTH"

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gnutls26	Upstream: 778b482
gnutls28	Upstream: 6ef0d5d Upstream: 1e013f4 Upstream: a8076fa Upstream: 3d333e5 Upstream: 20ba9c5
nss	Upstream: https://hg.mozilla.org/projects/nss/rev/94e1157f3fbb Upstream: https://hg.mozilla.org/projects/nss/rev/891676aa0d85
openssl	Upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=45473632c54947859a731dfe2db087c002ef7aa7 Upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=5e1ff664f95ab4c9176b3e86b5111e5777bad61a

Severity score breakdown

Parameter	Value
Base score	5.9 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Related Ubuntu Security Notices (USN)

USN-2866-1
Firefox vulnerability
8 January 2016

USN-2904-1
Thunderbird vulnerabilities
8 March 2016

USN-2863-1
OpenSSL vulnerability
7 January 2016

USN-2865-1
GnuTLS vulnerability
8 January 2016

USN-2884-1
OpenJDK 7 vulnerabilities
1 February 2016

USN-2864-1
NSS vulnerability
7 January 2016

Cvss 3 Severity Score