CVE-2015-7575

EUVD-2015-7485
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 81%
Affected Products (NVD)
VendorProductVersion
mozillanetwork_security_services
𝑥
≤ 3.20.1
opensuseleap
42.1
opensuseopensuse
13.1
opensuseopensuse
13.2
mozillafirefox
38.0
mozillafirefox
38.0.1
mozillafirefox
38.0.5
mozillafirefox
38.1.0
mozillafirefox
38.1.1
mozillafirefox
38.2.0
mozillafirefox
38.2.1
mozillafirefox
38.3.0
mozillafirefox
38.4.0
mozillafirefox
38.5.0
mozillafirefox
38.5.1
canonicalubuntu_linux
14.04
canonicalubuntu_linux
15.04
canonicalubuntu_linux
15.10
mozillafirefox
𝑥
≤ 43.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gnutls28
bookworm
3.7.9-2+deb12u3
fixed
bullseye
3.7.1-5+deb11u5
fixed
bullseye (security)
3.7.1-5+deb11u6
fixed
sid
3.8.6-2
fixed
squeeze
not-affected
trixie
3.8.6-2
fixed
wheezy
not-affected
nss
bookworm
2:3.87.1-1
fixed
bullseye
2:3.61-1+deb11u3
fixed
bullseye (security)
2:3.61-1+deb11u4
fixed
sid
2:3.105-2
fixed
squeeze
not-affected
trixie
2:3.105-2
fixed
wheezy
not-affected
openjdk-8
sid
8u432-b06-2
fixed
squeeze
not-affected
wheezy
not-affected
openssl
bookworm
3.0.14-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
bullseye
1.1.1w-0+deb11u1
fixed
bullseye (security)
1.1.1w-0+deb11u2
fixed
sid
3.3.2-2
fixed
squeeze
not-affected
trixie
3.3.2-2
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
artful
Fixed 43.0.4+build3-0ubuntu1
released
bionic
Fixed 43.0.4+build3-0ubuntu1
released
cosmic
Fixed 43.0.4+build3-0ubuntu1
released
disco
Fixed 43.0.4+build3-0ubuntu1
released
precise
Fixed 43.0.4+build3-0ubuntu0.12.04.1
released
trusty
Fixed 43.0.4+build3-0ubuntu0.14.04.1
released
vivid
Fixed 43.0.4+build3-0ubuntu0.15.04.1
released
wily
Fixed 43.0.4+build3-0ubuntu0.15.10.1
released
xenial
Fixed 43.0.4+build3-0ubuntu1
released
yakkety
Fixed 43.0.4+build3-0ubuntu1
released
zesty
Fixed 43.0.4+build3-0ubuntu1
released
gnutls26
artful
dne
bionic
dne
cosmic
dne
disco
dne
precise
Fixed 2.12.14-5ubuntu3.11
released
trusty
Fixed 2.12.23-12ubuntu2.4
released
vivid
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
gnutls28
artful
not-affected
bionic
not-affected
cosmic
not-affected
disco
not-affected
precise
ignored
trusty
dne
vivid
Fixed 3.3.8-3ubuntu3.2
released
wily
not-affected
xenial
not-affected
yakkety
not-affected
zesty
not-affected
mbedtls
artful
not-affected
bionic
not-affected
cosmic
not-affected
disco
not-affected
precise
dne
trusty
dne
wily
dne
xenial
not-affected
yakkety
not-affected
zesty
not-affected
nss
artful
not-affected
bionic
not-affected
cosmic
not-affected
disco
not-affected
precise
Fixed 3.19.2.1-0ubuntu0.12.04.2
released
trusty
Fixed 2:3.19.2.1-0ubuntu0.14.04.2
released
vivid
Fixed 2:3.19.2.1-0ubuntu0.15.04.2
released
wily
Fixed 2:3.19.2.1-0ubuntu0.15.10.2
released
xenial
not-affected
yakkety
not-affected
zesty
not-affected
openjdk-6
artful
dne
bionic
dne
cosmic
dne
disco
dne
precise
Fixed 6b38-1.13.10-0ubuntu0.12.04.1
released
trusty
Fixed 6b38-1.13.10-0ubuntu0.14.04.1
released
vivid
Fixed 6b38-1.13.10-0ubuntu0.15.04.1
released
wily
Fixed 6b38-1.13.10-0ubuntu0.15.10.1
released
xenial
dne
yakkety
dne
zesty
dne
openjdk-7
artful
dne
bionic
dne
cosmic
dne
disco
dne
precise
Fixed 7u95-2.6.4-0ubuntu0.12.04.1
released
trusty
Fixed 7u95-2.6.4-0ubuntu0.14.04.1
released
vivid
Fixed 7u95-2.6.4-0ubuntu0.15.04.1
released
wily
Fixed 7u95-2.6.4-0ubuntu0.15.10.1
released
xenial
dne
yakkety
dne
zesty
dne
openjdk-8
artful
not-affected
bionic
not-affected
cosmic
not-affected
disco
not-affected
precise
dne
trusty
dne
vivid
ignored
wily
Fixed 8u91-b14-0ubuntu4~15.10.1
released
xenial
not-affected
yakkety
not-affected
zesty
not-affected
openssl
artful
not-affected
bionic
not-affected
cosmic
not-affected
disco
not-affected
precise
Fixed 1.0.1-4ubuntu5.33
released
trusty
not-affected
vivid
not-affected
wily
not-affected
xenial
not-affected
yakkety
not-affected
zesty
not-affected
openssl098
artful
dne
bionic
dne
cosmic
dne
disco
dne
precise
not-affected
trusty
dne
vivid
not-affected
wily
dne
xenial
dne
yakkety
dne
zesty
dne
polarssl
artful
dne
bionic
dne
cosmic
dne
disco
dne
precise
ignored
trusty
dne
vivid
ignored
wily
ignored
xenial
dne
yakkety
dne
zesty
dne
thunderbird
artful
Fixed 1:38.6.0+build1-0ubuntu1
released
bionic
Fixed 1:38.6.0+build1-0ubuntu1
released
cosmic
Fixed 1:38.6.0+build1-0ubuntu1
released
disco
Fixed 1:38.6.0+build1-0ubuntu1
released
precise
Fixed 1:38.6.0+build1-0ubuntu0.12.04.1
released
trusty
Fixed 1:38.6.0+build1-0ubuntu0.14.04.1
released
vivid
ignored
wily
Fixed 1:38.6.0+build1-0ubuntu0.15.10.1
released
xenial
Fixed 1:38.6.0+build1-0ubuntu1
released
yakkety
Fixed 1:38.6.0+build1-0ubuntu1
released
zesty
Fixed 1:38.6.0+build1-0ubuntu1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html
http://rhn.redhat.com/errata/RHSA-2016-0049.html
http://rhn.redhat.com/errata/RHSA-2016-0050.html
http://rhn.redhat.com/errata/RHSA-2016-0053.html
http://rhn.redhat.com/errata/RHSA-2016-0054.html
http://rhn.redhat.com/errata/RHSA-2016-0055.html
http://rhn.redhat.com/errata/RHSA-2016-0056.html
http://www.debian.org/security/2016/dsa-3436
http://www.debian.org/security/2016/dsa-3437
http://www.debian.org/security/2016/dsa-3457
http://www.debian.org/security/2016/dsa-3458
http://www.debian.org/security/2016/dsa-3465
http://www.debian.org/security/2016/dsa-3491
http://www.debian.org/security/2016/dsa-3688
http://www.mozilla.org/security/announce/2015/mfsa2015-150.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
http://www.securityfocus.com/bid/79684
http://www.securityfocus.com/bid/91787
http://www.securitytracker.com/id/1034541
http://www.securitytracker.com/id/1036467
http://www.ubuntu.com/usn/USN-2863-1
http://www.ubuntu.com/usn/USN-2864-1
http://www.ubuntu.com/usn/USN-2865-1
http://www.ubuntu.com/usn/USN-2866-1
http://www.ubuntu.com/usn/USN-2884-1
http://www.ubuntu.com/usn/USN-2904-1
https://access.redhat.com/errata/RHSA-2016:1430
https://bugzilla.mozilla.org/show_bug.cgi?id=1158489
https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes
https://security.gentoo.org/glsa/201701-46
https://security.gentoo.org/glsa/201706-18
https://security.gentoo.org/glsa/201801-15
https://security.netapp.com/advisory/ntap-20160225-0001/
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html
http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html
http://rhn.redhat.com/errata/RHSA-2016-0049.html
http://rhn.redhat.com/errata/RHSA-2016-0050.html
http://rhn.redhat.com/errata/RHSA-2016-0053.html
http://rhn.redhat.com/errata/RHSA-2016-0054.html
http://rhn.redhat.com/errata/RHSA-2016-0055.html
http://rhn.redhat.com/errata/RHSA-2016-0056.html
http://www.debian.org/security/2016/dsa-3436
http://www.debian.org/security/2016/dsa-3437
http://www.debian.org/security/2016/dsa-3457
http://www.debian.org/security/2016/dsa-3458
http://www.debian.org/security/2016/dsa-3465
http://www.debian.org/security/2016/dsa-3491
http://www.debian.org/security/2016/dsa-3688
http://www.mozilla.org/security/announce/2015/mfsa2015-150.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
http://www.securityfocus.com/bid/79684
http://www.securityfocus.com/bid/91787
http://www.securitytracker.com/id/1034541
http://www.securitytracker.com/id/1036467
http://www.ubuntu.com/usn/USN-2863-1
http://www.ubuntu.com/usn/USN-2864-1
http://www.ubuntu.com/usn/USN-2865-1
http://www.ubuntu.com/usn/USN-2866-1
http://www.ubuntu.com/usn/USN-2884-1
http://www.ubuntu.com/usn/USN-2904-1
https://access.redhat.com/errata/RHSA-2016:1430
https://bugzilla.mozilla.org/show_bug.cgi?id=1158489
https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes
https://security.gentoo.org/glsa/201701-46
https://security.gentoo.org/glsa/201706-18
https://security.gentoo.org/glsa/201801-15
https://security.netapp.com/advisory/ntap-20160225-0001/