SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
SecurityTracker Alert ID:  1034541
SecurityTracker URL:  http://securitytracker.com/id/1034541
CVE Reference:   CVE-2015-7575   (Links to External Site)
Date:  Dec 28 2015
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 43.0.2
Description:   A vulnerability was reported in Mozilla Firefox. A remote user can conduct hash collision forgery attacks.

The system allows the use of MD5 server signatures in a TLS 1.2 ServerKeyExchange message. As a result, the system may be subject to hash collision forgery attacks.

Karthikeyan Bhargavan reported this vulnerability.

Impact:   A remote user can conduct hash collision forgery attacks.
Solution:   The vendor has issued a fix (43.0.2, ESR 38.5.2).

The vendor's advisory is available at:

https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/

Vendor URL:  www.mozilla.org/en-US/security/advisories/mfsa2015-150/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 8 2016 (Red Hat Issues Fix for Network Security Services (NSS)) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Red Hat has issued a fix for Network Security Services (NSS) for Red Hat Enterprise Linux 6 and 7.
Jan 8 2016 (Red Hat Issues Fix for OpenSSL) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Red Hat has issued a fix for OpenSSL for Red Hat Enterprise Linux 6 and 7.
Jan 8 2016 (Red Hat Issues Fix for GnuTLS) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Red Hat has issued a fix for GnuTLS for Red Hat Enterprise Linux 6 and 7.
Jan 8 2016 (Ubuntu Issues Fix for GnuTLS) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Ubuntu has issued a fix for GnuTLS for Ubuntu Linux 12.04 LTS, 14.04 LTS, and 15.04.
Jan 8 2016 (Ubuntu Issues Fix) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, 15.04, and 15.10.
Jan 8 2016 (Ubuntu Issues Fix for Network Security Services (NSS)) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Ubuntu has issued a fix for Network Security Services (NSS) for Ubuntu Linux 12.04 LTS, 14.04 LTS, 15.04, and 15.10.
Jan 9 2016 (Ubuntu Issues Fix for OpenSSL) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Ubuntu has issued a fix for OpenSSL for Ubuntu Linux 12.04 LTS.
Jan 9 2016 (CentOS Issues Fix for Network Security Services (NSS)) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
CentOS has issued a fix for Network Security Services (NSS) for CentOS 6 and 7.
Jan 9 2016 (CentOS Issues Fix for OpenSSL) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
CentOS has issued a fix for OpenSSL for CentOS 6 and 7.
Jan 9 2016 (CentOS Issues Fix for GnuTLS) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
CentOS has issued a fix for GnuTLS for CentOS 6 and 7.
Jan 19 2016 (Oracle Issues Fix for Java SE) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Oracle has issued a fix for Oracle Java SE.
Jan 21 2016 (Red Hat Issues Fix for Java) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Red Hat has issued a fix for java-1.8.0-openjdk for Red Hat Enterprise Linux 7.
Jan 21 2016 (Red Hat Issues Fix for Java) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Red Hat has issued a fix for java-1.8.0-openjdk for Red Hat Enterprise Linux 6.
Jan 21 2016 (Oracle Issues Fix for Oracle Linux) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Oracle has issued a fix for Oracle Linux 7.
Jan 21 2016 (Red Hat Issues Fix for Java) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Red Hat has issued a fix for Oracle Java for Red Hat Enterprise Linux 6.
Jan 21 2016 (Red Hat Issues Fix for Oracle Java SE) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Red Hat has issued a fix for Oracle Java SE for Red Hat Enterprise Linux 5 and 7.
Jan 21 2016 (Red Hat Issues Fix for Oracle Java SE) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Red Hat has issued a fix for Oracle Java SE for Red Hat Enterprise Linux 7.
Jan 22 2016 (Red Hat Issues Fix for Oracle Java SE) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Red Hat has issued a fix for java-1.7.0-oracle for Red Hat Enterprise Linux 7.
Jan 22 2016 (Oracle Issues Fix for Oracle Linux for Oracle Java SE) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Oracle has issued a fix for java-1.8.0-openjdk for Oracle Linux 6.
Jan 22 2016 (CentOS Issues Fix for Oracle Java SE) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
CentOS has issued a fix for Oracle Java SE for CentOS 6.
Jan 22 2016 (Oracle Issues Fix for Oracle Linux for Oracle Java SE) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Oracle has issued a fix for Oracle Java SE for Oracle Linux 7.
Jan 22 2016 (Oracle Issues Fix for Oracle Linux for Oracle Java SE) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Oracle has issued a fix for java-1.7.0-openjdk for Oracle Linux 5.
Jan 22 2016 (Oracle Issues Fix for Oracle Linux for Oracle Java SE) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Oracle has issued a fix for java-1.7.0-openjdk for Oracle Linux 6.
Jan 22 2016 (CentOS Issues Fix for Oracle Java SE) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
CentOS has issued a fix for java-1.8.0-openjdk for CentOS 7.
Feb 2 2016 (IBM Issues Fix for IBM AIX for OpenSSL) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for OpenSSL for IBM AIX 5.3, 6.1, 7.1, and 7.2.
Feb 2 2016 (IBM Issues Fix for IBM Lotus Domino) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for IBM Lotus Domino.
Feb 2 2016 (IBM Issues Fix for IBM Security Network IPS) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for IBM Security Network IPS 4.6.1 and 4.6.2.
Feb 5 2016 (IBM Issues Fix for IBM API Management) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for IBM API Management.
Feb 5 2016 (IBM Issues Fix for IBM Security Access Manager for Web) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for IBM Security Access Manager for Web.
Feb 16 2016 (IBM Issues Fix for IBM DB2) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for IBM DB2.
Feb 19 2016 (Mozilla Issues Fix for Mozilla Thunderbird) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Mozilla has issued a fix for Mozilla Thunderbird.
Feb 24 2016 (IBM Issues Fix for IBM SPSS Analytic Server) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for IBM SPSS Analytic Server.
Feb 24 2016 (IBM Issues Fix for IBM Tivoli Provisioning Manager) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for IBM Tivoli Provisioning Manager
Feb 26 2016 (IBM Issues Fix for IBM Security AppScan) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for IBM Security AppScan Enterprise.
Mar 3 2016 (IBM Issues Fix for IBM Lotus Notes) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for IBM Lotus Notes.
Mar 9 2016 (Ubuntu Issues Fix for Mozilla Thunderbird) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
Ubuntu has issued a fix for Mozilla Thunderbird for Ubuntu Linux 12.04 LTS, 14.04 LTS, and 15.10.
Mar 17 2016 (IBM Issues Fix for IBM API Management) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for IBM API Management.
Jul 27 2016 (IBM Issues Fix for IBM AIX) Mozilla Firefox MD5 Signature Support in TLS ServerKeyExchange Messages Exposes Users to Hash Collision Forgery Attacks
IBM has issued a fix for IBM AIX 5.3, 6.1, 7.1, and 7.2.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC