what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 9 of 9 RSS Feed

CVE-2015-2721

Status Candidate

Overview

Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue.

Related Files

Gentoo Linux Security Advisory 201701-46
Posted Jan 20, 2017
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201701-46 - Multiple vulnerabilities have been found in NSS, the worst of which could allow remote attackers to obtain access to private key information. Versions less than 3.28 are affected.

tags | advisory, remote, vulnerability
systems | linux, gentoo
advisories | CVE-2015-2721, CVE-2015-4000, CVE-2015-7575, CVE-2016-1938, CVE-2016-5285, CVE-2016-8635, CVE-2016-9074
SHA-256 | b1cd45ec7124022777ee15626d3b9e992a81649ff892fb429b6fc114d81bce0f
Gentoo Linux Security Advisory 201512-10
Posted Dec 30, 2015
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201512-10 - Multiple vulnerabilities have been found in Mozilla Firefox and Thunderbird, the worst of which may allow user-assisted execution of arbitrary code. Versions less than 38.5.0 are affected.

tags | advisory, arbitrary, vulnerability
systems | linux, gentoo
advisories | CVE-2015-0798, CVE-2015-0799, CVE-2015-0801, CVE-2015-0802, CVE-2015-0803, CVE-2015-0804, CVE-2015-0805, CVE-2015-0806, CVE-2015-0807, CVE-2015-0808, CVE-2015-0810, CVE-2015-0811, CVE-2015-0812, CVE-2015-0813, CVE-2015-0814, CVE-2015-0815, CVE-2015-0816, CVE-2015-2706, CVE-2015-2721, CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2730, CVE-2015-2731
SHA-256 | 8b345c71a57deda9f0a8d7eb50719b94a327aadac84155e9eb75aa9517d6449e
Red Hat Security Advisory 2015-1664-01
Posted Aug 24, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-1664-01 - Network Security Services is a set of libraries designed to support cross-platform development of security-enabled client and server applications. It was found that NSS permitted skipping of the ServerKeyExchange packet during a handshake involving ECDHE. A remote attacker could use this flaw to bypass the forward-secrecy of a TLS/SSL connection. A flaw was found in the way NSS verified certain ECDSA signatures. Under certain conditions, an attacker could use this flaw to conduct signature forgery attacks.

tags | advisory, remote
systems | linux, redhat
advisories | CVE-2015-2721, CVE-2015-2730
SHA-256 | 3498aaba984c0397d5021e266a21f7fc2203bcbcadf82c1c6ff3c6e60f6a2e4b
Debian Security Advisory 3336-1
Posted Aug 18, 2015
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3336-1 - Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library.

tags | advisory, vulnerability
systems | linux, debian
advisories | CVE-2015-2721, CVE-2015-2730
SHA-256 | c249f65af6b2ddadb404c102b050930cb56b50a78eca79a351276696247fa0de
Debian Security Advisory 3324-1
Posted Aug 4, 2015
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3324-1 - Multiple security issues have been found in Icedove, Debian's version use-after-frees and other implementation errors may lead to the execution of arbitrary code or denial of service. This update also addresses a vulnerability in DHE key processing commonly known as the "LogJam" vulnerability.

tags | advisory, denial of service, arbitrary
systems | linux, debian
advisories | CVE-2015-2721, CVE-2015-2724, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-4000
SHA-256 | c1dd84ed3f684df498d226e215df6097b473d332a45df7474dc930f492d4b553
Ubuntu Security Notice USN-2673-1
Posted Jul 20, 2015
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2673-1 - Karthikeyan Bhargavan discovered that NSS incorrectly handled state transitions for the TLS state machine. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to skip the ServerKeyExchange message and remove the forward-secrecy property. Bob Clary, Christian Holler, Bobby Holley, and Andrew McCreight discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird. Various other issues were also addressed.

tags | advisory, remote, denial of service, arbitrary
systems | linux, ubuntu
advisories | CVE-2015-2721, CVE-2015-2724, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-4000
SHA-256 | edcecb45d145f10f0b7e4ff7d56649529e2e69c9512e45839ce5892952206428
Ubuntu Security Notice USN-2656-2
Posted Jul 16, 2015
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2656-2 - USN-2656-1 fixed vulnerabilities in Firefox for Ubuntu 14.04 LTS and later releases. This update provides the corresponding update for Ubuntu 12.04 LTS. Karthikeyan Bhargavan discovered that NSS incorrectly handled state transitions for the TLS state machine. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to skip the ServerKeyExchange message and remove the forward-secrecy property. Looben Yan discovered 2 use-after-free issues when using XMLHttpRequest in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. Various other issues were also addressed.

tags | advisory, remote, denial of service, arbitrary, vulnerability
systems | linux, ubuntu
advisories | CVE-2015-2721, CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2730, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743, CVE-2015-4000
SHA-256 | 328cec1a37ec3067650890b309d1dd0a9ac8e5ee91e22185327112346ae999c2
Ubuntu Security Notice USN-2656-1
Posted Jul 9, 2015
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2656-1 - Karthikeyan Bhargavan discovered that NSS incorrectly handled state transitions for the TLS state machine. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to skip the ServerKeyExchange message and remove the forward-secrecy property. Looben Yan discovered 2 use-after-free issues when using XMLHttpRequest in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. Various other issues were also addressed.

tags | advisory, remote, denial of service, arbitrary
systems | linux, ubuntu
advisories | CVE-2015-2721, CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2727, CVE-2015-2728, CVE-2015-2729, CVE-2015-2730, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-2743, CVE-2015-4000
SHA-256 | 8b8e1309051b659a9010aa4da8be7f871c23e5dcdb455674eaf7979c0a9f13b8
Ubuntu Security Notice USN-2672-1
Posted Jul 9, 2015
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2672-1 - Karthikeyan Bhargavan discovered that NSS incorrectly handled state transitions for the TLS state machine. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to skip the ServerKeyExchange message and remove the forward-secrecy property. Watson Ladd discovered that NSS incorrectly handled Elliptical Curve Cryptography (ECC) multiplication. A remote attacker could possibly use this issue to spoof ECDSA signatures. Various other issues were also addressed.

tags | advisory, remote, spoof
systems | linux, ubuntu
advisories | CVE-2015-2721, CVE-2015-2730
SHA-256 | 4be7b0e840bb29a6f1d98997375889e451adecbf983bb8a60512c613ea039d76
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close