CVE-2015-4000

NameCVE-2015-4000
DescriptionThe TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-247-1, DLA-303-1, DLA-507-1, DSA-3287-1, DSA-3300-1, DSA-3316-1, DSA-3324-1, DSA-3339-1, DSA-3688-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icedove (PTS)wheezy38.7.0-1~deb7u1fixed
wheezy (security)1:52.3.0-4~deb7u2fixed
jessie1:45.8.0-3~deb8u1fixed
jessie (security)1:52.3.0-4~deb8u2fixed
stretch (security), stretch1:52.3.0-4~deb9u1fixed
sid1:52.3.0-4fixed
iceweasel (PTS)wheezy, wheezy (security)38.8.0esr-1~deb7u1fixed
nss (PTS)wheezy2:3.14.5-1+deb7u5vulnerable
wheezy (security)2:3.26-1+debu7u5fixed
jessie (security), jessie2:3.26-1+debu8u3fixed
stretch (security), stretch2:3.26.2-1.1+deb9u1fixed
buster, sid2:3.34-1fixed
openjdk-6 (PTS)wheezy, wheezy (security)6b38-1.13.10-1~deb7u1fixed
openjdk-7 (PTS)wheezy7u95-2.6.4-1~deb7u1fixed
wheezy (security)7u151-2.6.11-2~deb7u3fixed
jessie7u111-2.6.7-1~deb8u1fixed
jessie (security)7u151-2.6.11-2~deb8u1fixed
openjdk-8 (PTS)stretch (security), stretch8u151-b12-1~deb9u1fixed
buster, sid8u151-b12-1fixed
openssl (PTS)wheezy1.0.1e-2+deb7u20fixed
wheezy (security)1.0.1t-1+deb7u3fixed
jessie (security), jessie1.0.1t-1+deb8u7fixed
stretch (security), stretch1.1.0f-3+deb9u1fixed
buster, sid1.1.0g-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
icedovesource(unstable)38.1.0-1medium
icedovesourcejessie31.8.0-1~deb8u1mediumDSA-3324-1
icedovesourcewheezy31.8.0-1~deb7u1mediumDSA-3324-1
iceweaselsourcejessie31.8.0esr-1~deb8u1mediumDSA-3300-1
iceweaselsourcewheezy31.8.0esr-1~deb7u1mediumDSA-3300-1
nsssource(unstable)2:3.19.1-1medium
nsssourcejessie2:3.26-1+debu8u1mediumDSA-3688-1
nsssourcewheezy2:3.14.5-1+deb7u7mediumDLA-507-1
openjdk-6source(unstable)(unfixed)medium
openjdk-6sourceexperimental6b36-1.13.8-1medium
openjdk-6sourcesqueeze6b36-1.13.8-1~deb6u1mediumDLA-303-1
openjdk-6sourcewheezy6b36-1.13.8-1~deb7u1mediumDSA-3339-1
openjdk-7source(unstable)7u79-2.5.6-1medium
openjdk-7sourcejessie7u79-2.5.6-1~deb8u1mediumDSA-3316-1
openjdk-7sourcewheezy7u79-2.5.6-1~deb7u1mediumDSA-3316-1
openjdk-8source(unstable)8u66-b01-1medium
opensslsource(unstable)1.0.2b-1medium
opensslsourcejessie1.0.1k-3+deb8u1mediumDSA-3287-1
opensslsourcesqueeze0.9.8o-4squeeze21mediumDLA-247-1
opensslsourcewheezy1.0.1e-2+deb7u17mediumDSA-3287-1

Notes

[squeeze] - nss <no-dsa> (no point in switching min key size so close to EOL)
CVE assigned specific to vulnerability in the TLS protocol that was
disclosed in section 3.2 of the
https://weakdh.org/imperfect-forward-secrecy.pdf paper.
Some links on the status of various implementations/protocols:
IKE/IPSEC: https://nohats.ca/wordpress/blog/2015/05/20/weakdh-and-ike-ipsec/
OpenSSL: https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
OpenSSL 1.0.2b-1 limits it to 768 bit, future versions will increase the limit
GNUTLS: http://lists.gnutls.org/pipermail/gnutls-devel/2015-May/007597.html
NSS/iceweasel/icedove: https://www.mozilla.org/en-US/security/advisories/mfsa2015-70/
NSS patch increasing limit to 1023 bits: https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24

Search for package or bug name: Reporting problems