CVE-2015-7575

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
mozillanetwork_security_services
𝑥
≤ 3.20.1
opensuseleap
42.1
opensuseopensuse
13.1
opensuseopensuse
13.2
mozillafirefox
38.0
mozillafirefox
38.0.1
mozillafirefox
38.0.5
mozillafirefox
38.1.0
mozillafirefox
38.1.1
mozillafirefox
38.2.0
mozillafirefox
38.2.1
mozillafirefox
38.3.0
mozillafirefox
38.4.0
mozillafirefox
38.5.0
mozillafirefox
38.5.1
canonicalubuntu_linux
14.04
canonicalubuntu_linux
15.04
canonicalubuntu_linux
15.10
mozillafirefox
𝑥
≤ 43.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gnutls28
bullseye
3.7.1-5+deb11u5
fixed
squeeze
not-affected
wheezy
not-affected
bullseye (security)
3.7.1-5+deb11u6
fixed
bookworm
3.7.9-2+deb12u3
fixed
sid
3.8.6-2
fixed
trixie
3.8.6-2
fixed
nss
bullseye
2:3.61-1+deb11u3
fixed
squeeze
not-affected
wheezy
not-affected
bullseye (security)
2:3.61-1+deb11u4
fixed
bookworm
2:3.87.1-1
fixed
sid
2:3.105-2
fixed
trixie
2:3.105-2
fixed
openjdk-8
sid
8u432-b06-2
fixed
squeeze
not-affected
wheezy
not-affected
openssl
bullseye
1.1.1w-0+deb11u1
fixed
squeeze
not-affected
wheezy
not-affected
bullseye (security)
1.1.1w-0+deb11u2
fixed
bookworm
3.0.14-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
sid
3.3.2-2
fixed
trixie
3.3.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
disco
Fixed 43.0.4+build3-0ubuntu1
released
cosmic
Fixed 43.0.4+build3-0ubuntu1
released
bionic
Fixed 43.0.4+build3-0ubuntu1
released
artful
Fixed 43.0.4+build3-0ubuntu1
released
zesty
Fixed 43.0.4+build3-0ubuntu1
released
yakkety
Fixed 43.0.4+build3-0ubuntu1
released
xenial
Fixed 43.0.4+build3-0ubuntu1
released
wily
Fixed 43.0.4+build3-0ubuntu0.15.10.1
released
vivid
Fixed 43.0.4+build3-0ubuntu0.15.04.1
released
trusty
Fixed 43.0.4+build3-0ubuntu0.14.04.1
released
precise
Fixed 43.0.4+build3-0ubuntu0.12.04.1
released
gnutls26
disco
dne
cosmic
dne
bionic
dne
artful
dne
zesty
dne
yakkety
dne
xenial
dne
wily
dne
vivid
dne
trusty
Fixed 2.12.23-12ubuntu2.4
released
precise
Fixed 2.12.14-5ubuntu3.11
released
gnutls28
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
not-affected
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
not-affected
vivid
Fixed 3.3.8-3ubuntu3.2
released
trusty
dne
precise
ignored
mbedtls
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
not-affected
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
dne
trusty
dne
precise
dne
nss
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
not-affected
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
Fixed 2:3.19.2.1-0ubuntu0.15.10.2
released
vivid
Fixed 2:3.19.2.1-0ubuntu0.15.04.2
released
trusty
Fixed 2:3.19.2.1-0ubuntu0.14.04.2
released
precise
Fixed 3.19.2.1-0ubuntu0.12.04.2
released
openjdk-6
disco
dne
cosmic
dne
bionic
dne
artful
dne
zesty
dne
yakkety
dne
xenial
dne
wily
Fixed 6b38-1.13.10-0ubuntu0.15.10.1
released
vivid
Fixed 6b38-1.13.10-0ubuntu0.15.04.1
released
trusty
Fixed 6b38-1.13.10-0ubuntu0.14.04.1
released
precise
Fixed 6b38-1.13.10-0ubuntu0.12.04.1
released
openjdk-7
disco
dne
cosmic
dne
bionic
dne
artful
dne
zesty
dne
yakkety
dne
xenial
dne
wily
Fixed 7u95-2.6.4-0ubuntu0.15.10.1
released
vivid
Fixed 7u95-2.6.4-0ubuntu0.15.04.1
released
trusty
Fixed 7u95-2.6.4-0ubuntu0.14.04.1
released
precise
Fixed 7u95-2.6.4-0ubuntu0.12.04.1
released
openjdk-8
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
not-affected
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
Fixed 8u91-b14-0ubuntu4~15.10.1
released
vivid
ignored
trusty
dne
precise
dne
openssl
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
not-affected
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
not-affected
vivid
not-affected
trusty
not-affected
precise
Fixed 1.0.1-4ubuntu5.33
released
openssl098
disco
dne
cosmic
dne
bionic
dne
artful
dne
zesty
dne
yakkety
dne
xenial
dne
wily
dne
vivid
not-affected
trusty
dne
precise
not-affected
polarssl
disco
dne
cosmic
dne
bionic
dne
artful
dne
zesty
dne
yakkety
dne
xenial
dne
wily
ignored
vivid
ignored
trusty
dne
precise
ignored
thunderbird
disco
Fixed 1:38.6.0+build1-0ubuntu1
released
cosmic
Fixed 1:38.6.0+build1-0ubuntu1
released
bionic
Fixed 1:38.6.0+build1-0ubuntu1
released
artful
Fixed 1:38.6.0+build1-0ubuntu1
released
zesty
Fixed 1:38.6.0+build1-0ubuntu1
released
yakkety
Fixed 1:38.6.0+build1-0ubuntu1
released
xenial
Fixed 1:38.6.0+build1-0ubuntu1
released
wily
Fixed 1:38.6.0+build1-0ubuntu0.15.10.1
released
vivid
ignored
trusty
Fixed 1:38.6.0+build1-0ubuntu0.14.04.1
released
precise
Fixed 1:38.6.0+build1-0ubuntu0.12.04.1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html
http://rhn.redhat.com/errata/RHSA-2016-0049.html
http://rhn.redhat.com/errata/RHSA-2016-0050.html
http://rhn.redhat.com/errata/RHSA-2016-0053.html
http://rhn.redhat.com/errata/RHSA-2016-0054.html
http://rhn.redhat.com/errata/RHSA-2016-0055.html
http://rhn.redhat.com/errata/RHSA-2016-0056.html
http://www.debian.org/security/2016/dsa-3436
http://www.debian.org/security/2016/dsa-3437
http://www.debian.org/security/2016/dsa-3457
http://www.debian.org/security/2016/dsa-3458
http://www.debian.org/security/2016/dsa-3465
http://www.debian.org/security/2016/dsa-3491
http://www.debian.org/security/2016/dsa-3688
http://www.mozilla.org/security/announce/2015/mfsa2015-150.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
http://www.securityfocus.com/bid/79684
http://www.securityfocus.com/bid/91787
http://www.securitytracker.com/id/1034541
http://www.securitytracker.com/id/1036467
http://www.ubuntu.com/usn/USN-2863-1
http://www.ubuntu.com/usn/USN-2864-1
http://www.ubuntu.com/usn/USN-2865-1
http://www.ubuntu.com/usn/USN-2866-1
http://www.ubuntu.com/usn/USN-2884-1
http://www.ubuntu.com/usn/USN-2904-1
https://access.redhat.com/errata/RHSA-2016:1430
https://bugzilla.mozilla.org/show_bug.cgi?id=1158489
https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes
https://security.gentoo.org/glsa/201701-46
https://security.gentoo.org/glsa/201706-18
https://security.gentoo.org/glsa/201801-15
https://security.netapp.com/advisory/ntap-20160225-0001/
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html
http://rhn.redhat.com/errata/RHSA-2016-0049.html
http://rhn.redhat.com/errata/RHSA-2016-0050.html
http://rhn.redhat.com/errata/RHSA-2016-0053.html
http://rhn.redhat.com/errata/RHSA-2016-0054.html
http://rhn.redhat.com/errata/RHSA-2016-0055.html
http://rhn.redhat.com/errata/RHSA-2016-0056.html
http://www.debian.org/security/2016/dsa-3436
http://www.debian.org/security/2016/dsa-3437
http://www.debian.org/security/2016/dsa-3457
http://www.debian.org/security/2016/dsa-3458
http://www.debian.org/security/2016/dsa-3465
http://www.debian.org/security/2016/dsa-3491
http://www.debian.org/security/2016/dsa-3688
http://www.mozilla.org/security/announce/2015/mfsa2015-150.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
http://www.securityfocus.com/bid/79684
http://www.securityfocus.com/bid/91787
http://www.securitytracker.com/id/1034541
http://www.securitytracker.com/id/1036467
http://www.ubuntu.com/usn/USN-2863-1
http://www.ubuntu.com/usn/USN-2864-1
http://www.ubuntu.com/usn/USN-2865-1
http://www.ubuntu.com/usn/USN-2866-1
http://www.ubuntu.com/usn/USN-2884-1
http://www.ubuntu.com/usn/USN-2904-1
https://access.redhat.com/errata/RHSA-2016:1430
https://bugzilla.mozilla.org/show_bug.cgi?id=1158489
https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes
https://security.gentoo.org/glsa/201701-46
https://security.gentoo.org/glsa/201706-18
https://security.gentoo.org/glsa/201801-15
https://security.netapp.com/advisory/ntap-20160225-0001/