DebianDEBIAN:DLA-507-1:8A944[SECURITY] [DLA 507-1] nss security update
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.975 High
EPSS
Percentile
100.0%
Package : nss
Version : 2:3.14.5-1+deb7u7
CVE ID : CVE-2015-4000
Debian Bug : N/A
A vulnerability has been found in nss.
CVE-2015-4000
With TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is
enabled on a server but not on a client, does not properly convey
a DHE_EXPORT choice, which allows man-in-the-middle attackers to
conduct cipher-downgrade attacks by rewriting a ClientHello with
DHE replaced by DHE_EXPORT and then rewriting a ServerHello with
DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
The solution in nss was to not accept bit lengths less than 1024.
This may potentially be a backwards incompatibility issue but such
low bit lengths should not be in use so it was deemed acceptable.
For Debian 7 "Wheezy", these problems have been fixed in version
2:3.14.5-1+deb7u7.
We recommend that you upgrade your nss packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
--------------------- Ola Lundqvist ---------------------------
/ [email protected] Folkebogatan 26
| [email protected] 654 68 KARLSTAD |
| http://inguza.com/ +46 (0)70-332 1551 |
\ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F /
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 6 | amd64 | libssl0.9.8 | < 0.9.8o-4squeeze21 | libssl0.9.8_0.9.8o-4squeeze21_amd64.deb |
| Debian | 8 | all | iceweasel-l10n-mk | < 1:31.8.0esr-1~deb8u1 | iceweasel-l10n-mk_1:31.8.0esr-1~deb8u1_all.deb |
| Debian | 6 | i386 | openjdk-6-jre-zero | < 6b36-1.13.8-1~deb6u1 | openjdk-6-jre-zero_6b36-1.13.8-1~deb6u1_i386.deb |
| Debian | 7 | armhf | libnss3 | < 2:3.14.5-1+deb7u7 | libnss3_2:3.14.5-1+deb7u7_armhf.deb |
| Debian | 7 | amd64 | libnss3-1d | < 2:3.14.5-1+deb7u7 | libnss3-1d_2:3.14.5-1+deb7u7_amd64.deb |
| Debian | 8 | all | iceweasel-l10n-ff | < 1:31.8.0esr-1~deb8u1 | iceweasel-l10n-ff_1:31.8.0esr-1~deb8u1_all.deb |
| Debian | 8 | arm64 | libssl1.0.0 | < 1.0.1k-3+deb8u1 | libssl1.0.0_1.0.1k-3+deb8u1_arm64.deb |
| Debian | 8 | all | iceweasel-l10n-pa-in | < 1:31.8.0esr-1~deb8u1 | iceweasel-l10n-pa-in_1:31.8.0esr-1~deb8u1_all.deb |
| Debian | 8 | amd64 | libnss3 | < 2:3.26-1+debu8u1 | libnss3_2:3.26-1+debu8u1_amd64.deb |
| Debian | 7 | i386 | icedtea-6-jre-jamvm | < 6b36-1.13.8-1~deb7u1 | icedtea-6-jre-jamvm_6b36-1.13.8-1~deb7u1_i386.deb |
Related
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.975 High
EPSS
Percentile
100.0%