[FREEBSD:10F7BC76-0335-4A88-B391-0B05B3A8CE1C] NSS -- MD5 downgrade in TLS 1.2 signatures

Severity Medium

Affected Packages 4

CVEs 1

The Mozilla Project reports:

  Security researcher Karthikeyan Bhargavan reported an
    issue in Network Security Services (NSS) where MD5
    signatures in the server signature within the TLS 1.2
    ServerKeyExchange message are still accepted. This is an
    issue since NSS has officially disallowed the accepting MD5
    as a hash algorithm in signatures since 2011. This issues
    exposes NSS based clients such as Firefox to theoretical
    collision-based forgery attacks.

Package	Affected Version
pkg:freebsd/nss	< 3.20.2
pkg:freebsd/linux-thunderbird	< 38.5.1
pkg:freebsd/linux-seamonkey	< 2.40
pkg:freebsd/linux-firefox	< 43.0.2,1

ID

FREEBSD:10F7BC76-0335-4A88-B391-0B05B3A8CE1C

Severity

medium

Severity from

CVE-2015-7575

URL

http://vuxml.freebsd.org/freebsd/10f7bc76-0335-4a88-b391-0b05b3a8ce1c.html

Published

2015-12-22T00:00:00
(8 years ago)

Modified

2015-12-28T00:00:00
(8 years ago)

Rights

FreeBSD VuXML Security Team

Other Advisories

Source	# ID	Name	URL
FreeBSD VuXML			https://www.mozilla.org/security/advisories/mfsa2015-150/
FreeBSD VuXML			https://hg.mozilla.org/projects/nss/rev/94e1157f3fbb

Type	Package URL	Name / Product	Version
Affected	pkg:freebsd/nss	nss	< 3.20.2
Affected	pkg:freebsd/linux-thunderbird	linux-thunderbird	< 38.5.1
Affected	pkg:freebsd/linux-seamonkey	linux-seamonkey	< 2.40
Affected	pkg:freebsd/linux-firefox	linux-firefox	< 43.0.2,1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date