[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Bug watch added: Mozilla Bugzilla #1138554 https://bugzilla.mozilla.org/show_bug.cgi?id=1138554 ** Also affects: nss via https://bugzilla.mozilla.org/show_bug.cgi?id=1138554 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/nss/+bug/1465014/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Bug watch added: Mozilla Bugzilla #1138554 https://bugzilla.mozilla.org/show_bug.cgi?id=1138554 ** Also affects: nss via https://bugzilla.mozilla.org/show_bug.cgi?id=1138554 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/nss/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Changed in: nss Status: Unknown = Fix Released ** Changed in: nss Importance: Unknown = Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/nss/+bug/1465014/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Changed in: nss Status: Unknown = Fix Released ** Changed in: nss Importance: Unknown = Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/nss/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Changed in: firefox (Ubuntu) Status: Confirmed = Triaged ** Changed in: firefox (Ubuntu) Importance: Undecided = Critical -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Changed in: firefox (Ubuntu) Status: Confirmed = Triaged ** Changed in: firefox (Ubuntu) Importance: Undecided = Critical -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Changed in: nss (Ubuntu) Status: Confirmed = Triaged ** Changed in: firefox (Ubuntu) Status: Confirmed = Triaged ** No longer affects: firefox (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Changed in: nss (Ubuntu) Status: Confirmed = Triaged ** Changed in: firefox (Ubuntu) Status: Confirmed = Triaged ** No longer affects: firefox (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1465014/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Also affects: firefox (Ubuntu) Importance: Undecided Status: New ** Changed in: firefox (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Also affects: firefox (Ubuntu) Importance: Undecided Status: New ** Changed in: firefox (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
3.19.2 was just released[1] with: Notable Changes in NSS 3.19.2 Bug 1172128 - In NSS 3.19.1, the minimum key sizes that the freebl cryptographic implementation (part of the softoken cryptographic module used by default by NSS) was willing to generate or use was increased - for RSA keys, to 512 bits, and for DH keys, 1023 bits. This was done as part of a security fix for Bug 1138554 / CVE-2015-4000. Applications that requested or attempted to use keys smaller then the minimum size would fail. However, this change in behaviour unintentionally broke existing NSS applications that need to generate or use such keys, via APIs such as SECKEY_CreateRSAPrivateKey or SECKEY_CreateDHPrivateKey. In NSS 3.19.2, this change in freebl behaviour has been reverted. The fix for Bug 1138554 has been moved to libssl, and will now only affect the minimum keystrengths used in SSL/TLS. Note: Future versions of NSS may increase the minimum keysizes required by the freebl module. Consumers of NSS are strongly encouraged to migrate to stronger cryptographic strengths as soon as possible. [1]https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2_release_notes ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-4000 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
3.19.2 was just released[1] with: Notable Changes in NSS 3.19.2 Bug 1172128 - In NSS 3.19.1, the minimum key sizes that the freebl cryptographic implementation (part of the softoken cryptographic module used by default by NSS) was willing to generate or use was increased - for RSA keys, to 512 bits, and for DH keys, 1023 bits. This was done as part of a security fix for Bug 1138554 / CVE-2015-4000. Applications that requested or attempted to use keys smaller then the minimum size would fail. However, this change in behaviour unintentionally broke existing NSS applications that need to generate or use such keys, via APIs such as SECKEY_CreateRSAPrivateKey or SECKEY_CreateDHPrivateKey. In NSS 3.19.2, this change in freebl behaviour has been reverted. The fix for Bug 1138554 has been moved to libssl, and will now only affect the minimum keystrengths used in SSL/TLS. Note: Future versions of NSS may increase the minimum keysizes required by the freebl module. Consumers of NSS are strongly encouraged to migrate to stronger cryptographic strengths as soon as possible. [1]https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2_release_notes ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-4000 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Changed in: firefox (Ubuntu) Importance: Undecided = Critical ** Changed in: nss (Ubuntu) Importance: Undecided = Critical ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Changed in: firefox (Ubuntu) Importance: Undecided = Critical ** Changed in: nss (Ubuntu) Importance: Undecided = Critical ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: nss (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: firefox (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: nss (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: firefox (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
** Description changed: Hint: http://www.ubuntu.com/usn/usn-2639-1/ As a security improvement, this update also modifies OpenSSL behaviour to reject DH key sizes below 768 bits, preventing a possible downgrade attack. I installed the update but the test site says, i'm still vulnerable (see attachted screen shot). Site: https://weakdh.org/ - Xubuntu 15.04 -- up-to-date - openSSL 1.0.1f-1ubuntu11.4 -- up-to-date - - Firefox 38.0+build3-0ubuntu0.15.04.1 -- up-to-date (even there are the versions 38.05 and 38.0.6 on the mozilla server availeable) + - Firefox 38.0+build3-0ubuntu0.15.04.1 -- up-to-date (even there are the versions 38.0.5 and 38.0.6 on the mozilla server available) - Chromium 43.0.2357.81-0ubuntu0.15.04.1.1170 -- up-to-date ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: openssl 1.0.1f-1ubuntu11.4 ProcVersionSignature: Ubuntu 3.19.0-20.20-generic 3.19.8 Uname: Linux 3.19.0-20-generic x86_64 ApportVersion: 2.17.2-0ubuntu1.1 Architecture: amd64 Date: Sun Jun 14 15:34:46 2015 InstallationDate: Installed on 2015-05-28 (16 days ago) InstallationMedia: Xubuntu 15.04 Vivid Vervet - Release amd64 (20150422.1) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) ** Description changed: Hint: http://www.ubuntu.com/usn/usn-2639-1/ As a security improvement, this update also modifies OpenSSL behaviour to reject DH key sizes below 768 bits, preventing a possible downgrade attack. I installed the update but the test site says, i'm still vulnerable (see attachted screen shot). Site: https://weakdh.org/ - Xubuntu 15.04 -- up-to-date - openSSL 1.0.1f-1ubuntu11.4 -- up-to-date - Firefox 38.0+build3-0ubuntu0.15.04.1 -- up-to-date (even there are the versions 38.0.5 and 38.0.6 on the mozilla server available) - Chromium 43.0.2357.81-0ubuntu0.15.04.1.1170 -- up-to-date + + ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: openssl 1.0.1f-1ubuntu11.4 ProcVersionSignature: Ubuntu 3.19.0-20.20-generic 3.19.8 Uname: Linux 3.19.0-20-generic x86_64 ApportVersion: 2.17.2-0ubuntu1.1 Architecture: amd64 Date: Sun Jun 14 15:34:46 2015 InstallationDate: Installed on 2015-05-28 (16 days ago) InstallationMedia: Xubuntu 15.04 Vivid Vervet - Release amd64 (20150422.1) SourcePackage: openssl UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
I think that site is simply printing the warning based on the browser user agent, and not actually testing for the vulnerability. logjam is planned to be officially addressed in Firefox 39, so it will probably change once firefox 39 gets pushed out. ** Package changed: openssl (Ubuntu) = firefox (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
Chrome and Firefox both uses NSS. NSS 3.19.1 contains fixes to mitigate logjam by increasing the minimum modulus size for Diffie-Hellman keys to 1023 bits[1]. Maybe we can look into backporting that. [1]https://developer.mozilla.org/en- US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes ** Also affects: nss (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1465014] Re: after update still vulnerable against LOGJAM
Chrome and Firefox both uses NSS. NSS 3.19.1 contains fixes to mitigate logjam by increasing the minimum modulus size for Diffie-Hellman keys to 1023 bits[1]. Maybe we can look into backporting that. [1]https://developer.mozilla.org/en- US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes ** Also affects: nss (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1465014 Title: after update still vulnerable against LOGJAM To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs