CVE-2015-7575

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

Published : 2016-01-09 02:59 Updated : 2018-10-30 16:27

4.3
CVSS Score More info
Score 4.3 / 10
4.3
Vendor Product Version URI
Mozilla Firefox Esr 38.0.1 cpe:/a:mozilla:firefox_esr:38.0.1
Mozilla Firefox Esr 38.1.0 cpe:/a:mozilla:firefox_esr:38.1.0
Mozilla Firefox Esr 38.2.1 cpe:/a:mozilla:firefox_esr:38.2.1
Mozilla Firefox Esr 38.3.0 cpe:/a:mozilla:firefox_esr:38.3.0
Mozilla Firefox Esr 38.1.1 cpe:/a:mozilla:firefox_esr:38.1.1
Mozilla Firefox Esr 38.2.0 cpe:/a:mozilla:firefox_esr:38.2.0
Mozilla Firefox Esr 38.5.0 cpe:/a:mozilla:firefox_esr:38.5.0
Mozilla Firefox Esr 38.0.5 cpe:/a:mozilla:firefox_esr:38.0.5
Mozilla Firefox Esr 38.4.0 cpe:/a:mozilla:firefox_esr:38.4.0
Mozilla Firefox Esr 38.5.1 cpe:/a:mozilla:firefox_esr:38.5.1
Canonical Ubuntu Linux 14.04 cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
Mozilla Network Security Services 3.20.1 cpe:/a:mozilla:network_security_services:3.20.1
Mozilla Firefox 43.0.1 cpe:/a:mozilla:firefox:43.0.1
Canonical Ubuntu Linux 15.10 cpe:/o:canonical:ubuntu_linux:15.10
Mozilla Firefox Esr 38.0 cpe:/a:mozilla:firefox_esr:38.0
Canonical Ubuntu Linux 15.04 cpe:/o:canonical:ubuntu_linux:15.04
Opensuse Leap 42.1 cpe:/o:opensuse:leap:42.1
Opensuse Opensuse 13.1 cpe:/o:opensuse:opensuse:13.1
Opensuse Opensuse 13.2 cpe:/o:opensuse:opensuse:13.2
  1. Canonical (1) Search CVE
    1. Ubuntu Linux (3) Search CVE
      1. 14.04
      2. 15.10
      3. 15.04
  2. Opensuse (2) Search CVE
    1. Opensuse (2) Search CVE
      1. 13.1
      2. 13.2
    2. Leap (1) Search CVE
      1. 42.1
  3. Mozilla (3) Search CVE
    1. Firefox (1) Search CVE
      1. 43.0.1
    2. Firefox Esr (11) Search CVE
      1. 38.0.1
      2. 38.1.0
      3. 38.2.1
      4. 38.3.0
      5. 38.1.1
      6. 38.2.0
      7. 38.5.0
      8. 38.0.5
      9. 38.4.0
      10. 38.5.1
      11. 38.0
    3. Network Security Services (1) Search CVE
      1. 3.20.1

CWE

ID Name Description Links
CWE-19 Data Processing Errors Weaknesses in this category are typically found in functionality that processes data. CVE

References

Source Link
SUSE http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html
SUSE http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html
SUSE http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html
SUSE http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html
SUSE http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html
SUSE http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html
SUSE http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html
SUSE http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html
SUSE http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html
REDHAT http://rhn.redhat.com/errata/RHSA-2016-0049.html
REDHAT http://rhn.redhat.com/errata/RHSA-2016-0050.html
REDHAT http://rhn.redhat.com/errata/RHSA-2016-0053.html
REDHAT http://rhn.redhat.com/errata/RHSA-2016-0054.html
REDHAT http://rhn.redhat.com/errata/RHSA-2016-0055.html
REDHAT http://rhn.redhat.com/errata/RHSA-2016-0056.html
DEBIAN http://www.debian.org/security/2016/dsa-3436
DEBIAN http://www.debian.org/security/2016/dsa-3437
DEBIAN http://www.debian.org/security/2016/dsa-3457
DEBIAN http://www.debian.org/security/2016/dsa-3458
DEBIAN http://www.debian.org/security/2016/dsa-3465
DEBIAN http://www.debian.org/security/2016/dsa-3491
CONFIRM http://www.mozilla.org/security/announce/2015/mfsa2015-150.html
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
CONFIRM http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
BID http://www.securityfocus.com/bid/79684
BID http://www.securityfocus.com/bid/91787
SECTRACK http://www.securitytracker.com/id/1034541
UBUNTU http://www.ubuntu.com/usn/USN-2863-1
UBUNTU http://www.ubuntu.com/usn/USN-2864-1
UBUNTU http://www.ubuntu.com/usn/USN-2865-1
UBUNTU http://www.ubuntu.com/usn/USN-2866-1
UBUNTU http://www.ubuntu.com/usn/USN-2884-1
UBUNTU http://www.ubuntu.com/usn/USN-2904-1
REDHAT https://access.redhat.com/errata/RHSA-2016:1430
CONFIRM https://bugzilla.mozilla.org/show_bug.cgi?id=1158489
CONFIRM https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes
GENTOO https://security.gentoo.org/glsa/201706-18
GENTOO https://security.gentoo.org/glsa/201701-46
SECTRACK http://www.securitytracker.com/id/1036467
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
DEBIAN http://www.debian.org/security/2016/dsa-3688
CONFIRM https://security.netapp.com/advisory/ntap-20160225-0001/
GENTOO https://security.gentoo.org/glsa/201801-15

History of changes

Date Event
2018-10-30 16:27
2018-01-16 02:29
2017-11-10 02:29
2017-11-04 01:29
2017-10-20 01:29
2017-09-01 05:57
2017-07-01 05:31
2016-01-09 02:59

New CVE