Hide Forgot
A new class of transcript collision attacks on the use of MD5 in key exchange protocol was found in TLS 1.2. Due to several high-profile attacks against MD5, there is now consensus among certification authorities and software vendors to stop issuing and accepting new MD5 certificates. However MD5 continues to be supported in key exchange protocol for TLS 1.2 and also in IPSec and SSH-2. A almost-practical impersonation and downgrade attack was demostrated for IKEv2 and SSH-2 and also a concrete credential forwarding attack against TLS 1.2 client authentication.
It seems openssl already disables RSA+MD5, see: https://github.com/openssl/openssl/commit/45473632c54947859a731dfe2db087c002ef7aa7
CVE-2015-7575 has been assigned to this issue.
Public now: External References: https://access.redhat.com/articles/2112261 http://www.mitls.org/pages/attacks/SLOTH https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/
Created gnutls tracking bugs for this issue: Affects: fedora-all [bug 1296221]
Created nss tracking bugs for this issue: Affects: fedora-all [bug 1296219]
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1296218]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2016:0007 https://rhn.redhat.com/errata/RHSA-2016-0007.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0012 https://rhn.redhat.com/errata/RHSA-2016-0012.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0008 https://rhn.redhat.com/errata/RHSA-2016-0008.html
OpenJDK 8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1ad1d1b46fef For Oracle Java SE, this was corrected in versions 7u95 and 8u71 via Oracle Critical Patch Update - January 2016: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0050 https://rhn.redhat.com/errata/RHSA-2016-0050.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0049 https://rhn.redhat.com/errata/RHSA-2016-0049.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0056 https://rhn.redhat.com/errata/RHSA-2016-0056.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0055 https://rhn.redhat.com/errata/RHSA-2016-0055.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0053 https://rhn.redhat.com/errata/RHSA-2016-0053.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Via RHSA-2016:0054 https://rhn.redhat.com/errata/RHSA-2016-0054.html
openssl101e-1.0.1e-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2016:0101 https://rhn.redhat.com/errata/RHSA-2016-0101.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2016:0100 https://rhn.redhat.com/errata/RHSA-2016-0100.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2016:0098 https://rhn.redhat.com/errata/RHSA-2016-0098.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 7 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2016:0099 https://rhn.redhat.com/errata/RHSA-2016-0099.html
This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2016:1430 https://access.redhat.com/errata/RHSA-2016:1430