Bug 1289841 (CVE-2015-7575, SLOTH)
| Summary: | CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahughes, bbaranow, bmaxwell, carnil, cdewolf, cperry, csutherl, dandread, darran.lofthouse, dknox, hkario, huzaifas, jason.greene, jawilson, jboss-set, jclere, jdoyle, ksrot, lgao, mbabacek, mjc, myarboro, nmavrogi, pgier, psakar, pslavice, pwouters, rrelyea, rsvoboda, security-response-team, slawomir, slong, szidek, tmraz, twalsh, vtunka, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:46:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1289881, 1289882, 1289883, 1289884, 1289885, 1289886, 1289887, 1289888, 1289889, 1289890, 1289891, 1289892, 1296218, 1296219, 1296221, 1297310 | ||
| Bug Blocks: | 1289842, 1295699, 1298491 | ||
|
Description
Huzaifa S. Sidhpurwala
2015-12-09 06:46:45 UTC
It seems openssl already disables RSA+MD5, see: https://github.com/openssl/openssl/commit/45473632c54947859a731dfe2db087c002ef7aa7 CVE-2015-7575 has been assigned to this issue. Public now: External References: https://access.redhat.com/articles/2112261 http://www.mitls.org/pages/attacks/SLOTH https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/ Created gnutls tracking bugs for this issue: Affects: fedora-all [bug 1296221] Created nss tracking bugs for this issue: Affects: fedora-all [bug 1296219] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1296218] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2016:0007 https://rhn.redhat.com/errata/RHSA-2016-0007.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0012 https://rhn.redhat.com/errata/RHSA-2016-0012.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0008 https://rhn.redhat.com/errata/RHSA-2016-0008.html OpenJDK 8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1ad1d1b46fef For Oracle Java SE, this was corrected in versions 7u95 and 8u71 via Oracle Critical Patch Update - January 2016: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0050 https://rhn.redhat.com/errata/RHSA-2016-0050.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0049 https://rhn.redhat.com/errata/RHSA-2016-0049.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0056 https://rhn.redhat.com/errata/RHSA-2016-0056.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0055 https://rhn.redhat.com/errata/RHSA-2016-0055.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0053 https://rhn.redhat.com/errata/RHSA-2016-0053.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Via RHSA-2016:0054 https://rhn.redhat.com/errata/RHSA-2016-0054.html openssl101e-1.0.1e-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2016:0101 https://rhn.redhat.com/errata/RHSA-2016-0101.html This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2016:0100 https://rhn.redhat.com/errata/RHSA-2016-0100.html This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2016:0098 https://rhn.redhat.com/errata/RHSA-2016-0098.html This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 7 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2016:0099 https://rhn.redhat.com/errata/RHSA-2016-0099.html This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2016:1430 https://access.redhat.com/errata/RHSA-2016:1430 |