Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2015-12/msg00139.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2016-01/msg00005.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2016-01/msg00058.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2016-01/msg00059.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2016-02/msg00007.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2016-02/msg00008.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2016-02/msg00101.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2016-02/msg00166.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2016-0049.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2016-0050.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2016-0053.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2016-0054.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2016-0055.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2016-0056.html cve-icon cve-icon
http://www.debian.org/security/2016/dsa-3436 cve-icon cve-icon
http://www.debian.org/security/2016/dsa-3437 cve-icon cve-icon
http://www.debian.org/security/2016/dsa-3457 cve-icon cve-icon
http://www.debian.org/security/2016/dsa-3458 cve-icon cve-icon
http://www.debian.org/security/2016/dsa-3465 cve-icon cve-icon
http://www.debian.org/security/2016/dsa-3491 cve-icon cve-icon
http://www.debian.org/security/2016/dsa-3688 cve-icon cve-icon
http://www.mitls.org/pages/attacks/SLOTH cve-icon
http://www.mozilla.org/security/announce/2015/mfsa2015-150.html cve-icon cve-icon
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html cve-icon cve-icon
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html cve-icon cve-icon
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html cve-icon cve-icon
http://www.securityfocus.com/bid/79684 cve-icon cve-icon
http://www.securityfocus.com/bid/91787 cve-icon cve-icon
http://www.securitytracker.com/id/1034541 cve-icon cve-icon
http://www.securitytracker.com/id/1036467 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-2863-1 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-2864-1 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-2865-1 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-2866-1 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-2884-1 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-2904-1 cve-icon cve-icon
https://access.redhat.com/articles/2112261 cve-icon
https://access.redhat.com/errata/RHSA-2016:1430 cve-icon cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=1158489 cve-icon cve-icon
https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2015-7575 cve-icon
https://security.gentoo.org/glsa/201701-46 cve-icon cve-icon
https://security.gentoo.org/glsa/201706-18 cve-icon cve-icon
https://security.gentoo.org/glsa/201801-15 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20160225-0001/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2015-7575 cve-icon
https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/ cve-icon
History

Tue, 22 Oct 2024 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox_esr:38.0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.1.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.1.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.2.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.2.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.3.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.4.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:38.0.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:38.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:38.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:38.1.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:38.1.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:38.2.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:38.2.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:38.3.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:38.4.0:*:*:*:*:*:*:*
Vendors & Products Mozilla firefox Esr

Mon, 21 Oct 2024 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox_esr:38.5.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox_esr:38.5.1:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:38.5.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:38.5.1:*:*:*:*:*:*:*

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2016-01-09T02:00:00

Updated: 2024-08-06T07:51:28.586Z

Reserved: 2015-09-29T00:00:00

Link: CVE-2015-7575

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2016-01-09T02:59:10.910

Modified: 2024-11-21T02:37:00.637

Link: CVE-2015-7575

cve-icon Redhat

Severity : Moderate

Publid Date: 2016-01-06T00:00:00Z

Links: CVE-2015-7575 - Bugzilla