Bug 960996 – VUL-0: CVE-2015-7575: SLOTH: Security Losses from Obsolete and Truncated Transcript Hashes

Bug 960996 - (CVE-2015-7575) VUL-0: CVE-2015-7575: SLOTH: Security Losses from Obsolete and Truncated Transcript Hashes

(CVE-2015-7575)
Summary:	VUL-0: CVE-2015-7575: SLOTH: Security Losses from Obsolete and Truncated Tran...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:	929690 959888 961284 961357 CVE-2016-0402 967521
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-01-07 13:35 UTC by Johannes Segitz
Modified:	2020-04-23 11:58 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-01-07 13:35:30 UTC

Karthikeyan Bhargavan and Gaetan Leurent identified a new class of transcript collision attacks on popular cryptographic protocols such as TLS, IKE, and SSH, that significantly reduce their expected security. 

http://www.mitls.org/pages/attacks/SLOTH
SLOTH - Security Losses from Obsolete and Truncated Transcript Hashes

Technical Paper: Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH, Karthikeyan Bhargavan and Gaetan Leurent, Network and Distributed System Security Symposium (NDSS 2016)
http://www.mitls.org/downloads/transcript-collisions.pdf

CVE-2015-7575 "assigned protocol level CVE"

Will use this bug as a master.

Comment 1 Swamp Workflow Management 2016-01-07 23:00:15 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2016-01-08 19:21:47 UTC

mozilla nss is in bug 959888



openssl has this statement:

openssl 0.9.8 is not affected as it does not implement TLS 1.2
openssl 1.0.1f and later are not affected.

-> no SUSE version of openssl is affected at this time.

Comment 3 Marcus Meissner 2016-01-11 16:59:18 UTC

gnutls is tracked in bug 929690

Comment 4 Johannes Segitz 2016-01-20 10:51:21 UTC

Java tracked in bnc#962743

Comment 5 Swamp Workflow Management 2016-01-27 14:13:52 UTC

SUSE-SU-2016:0256-1: An update that fixes 8 vulnerabilities is now available.

Category: security (critical)
Bug References: 960996,962743
CVE References: CVE-2015-7575,CVE-2015-8126,CVE-2016-0402,CVE-2016-0448,CVE-2016-0466,CVE-2016-0475,CVE-2016-0483,CVE-2016-0494
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_8_0-openjdk-1.8.0.72-3.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    java-1_8_0-openjdk-1.8.0.72-3.2

Comment 6 Swamp Workflow Management 2016-01-27 20:11:38 UTC

openSUSE-SU-2016:0263-1: An update that fixes 8 vulnerabilities is now available.

Category: security (critical)
Bug References: 960996,962743
CVE References: CVE-2015-7575,CVE-2015-8126,CVE-2015-8472,CVE-2016-0402,CVE-2016-0448,CVE-2016-0466,CVE-2016-0483,CVE-2016-0494
Sources used:
openSUSE 13.2 (src):    java-1_8_0-openjdk-1.8.0.72-21.1

Comment 7 Swamp Workflow Management 2016-01-27 20:12:34 UTC

SUSE-SU-2016:0265-1: An update that fixes 9 vulnerabilities is now available.

Category: security (critical)
Bug References: 939523,960996,962743
CVE References: CVE-2015-4871,CVE-2015-7575,CVE-2015-8126,CVE-2015-8472,CVE-2016-0402,CVE-2016-0448,CVE-2016-0466,CVE-2016-0483,CVE-2016-0494
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_7_0-openjdk-1.7.0.95-24.2
SUSE Linux Enterprise Server 12 (src):    java-1_7_0-openjdk-1.7.0.95-24.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    java-1_7_0-openjdk-1.7.0.95-24.2
SUSE Linux Enterprise Desktop 12 (src):    java-1_7_0-openjdk-1.7.0.95-24.2

Comment 8 Swamp Workflow Management 2016-01-27 20:13:52 UTC

openSUSE-SU-2016:0268-1: An update that fixes 9 vulnerabilities is now available.

Category: security (critical)
Bug References: 939523,960996,962743
CVE References: CVE-2015-4871,CVE-2015-7575,CVE-2015-8126,CVE-2015-8472,CVE-2016-0402,CVE-2016-0448,CVE-2016-0466,CVE-2016-0483,CVE-2016-0494
Sources used:
openSUSE 13.2 (src):    java-1_7_0-openjdk-1.7.0.95-16.1, java-1_7_0-openjdk-bootstrap-1.7.0.95-16.1

Comment 9 Swamp Workflow Management 2016-01-27 20:14:26 UTC

SUSE-SU-2016:0269-1: An update that fixes 9 vulnerabilities is now available.

Category: security (critical)
Bug References: 960996,962743
CVE References: CVE-2015-4871,CVE-2015-7575,CVE-2015-8126,CVE-2015-8472,CVE-2016-0402,CVE-2016-0448,CVE-2016-0466,CVE-2016-0483,CVE-2016-0494
Sources used:
SUSE Linux Enterprise Desktop 11-SP4 (src):    java-1_7_0-openjdk-1.7.0.95-0.17.2
SUSE Linux Enterprise Desktop 11-SP3 (src):    java-1_7_0-openjdk-1.7.0.95-0.17.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    java-1_7_0-openjdk-1.7.0.95-0.17.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    java-1_7_0-openjdk-1.7.0.95-0.17.2

Comment 10 Swamp Workflow Management 2016-01-27 20:14:59 UTC

openSUSE-SU-2016:0270-1: An update that fixes 32 vulnerabilities is now available.

Category: security (critical)
Bug References: 951376,960996,962743
CVE References: CVE-2015-4734,CVE-2015-4803,CVE-2015-4805,CVE-2015-4806,CVE-2015-4810,CVE-2015-4835,CVE-2015-4840,CVE-2015-4842,CVE-2015-4843,CVE-2015-4844,CVE-2015-4860,CVE-2015-4868,CVE-2015-4872,CVE-2015-4881,CVE-2015-4882,CVE-2015-4883,CVE-2015-4893,CVE-2015-4901,CVE-2015-4902,CVE-2015-4903,CVE-2015-4906,CVE-2015-4908,CVE-2015-4911,CVE-2015-4916,CVE-2015-7575,CVE-2015-8126,CVE-2015-8472,CVE-2016-0402,CVE-2016-0448,CVE-2016-0466,CVE-2016-0483,CVE-2016-0494
Sources used:
openSUSE Leap 42.1 (src):    java-1_8_0-openjdk-1.8.0.72-6.1

Comment 11 Swamp Workflow Management 2016-01-28 19:11:32 UTC

openSUSE-SU-2016:0279-1: An update that fixes 9 vulnerabilities is now available.

Category: security (critical)
Bug References: 939523,960996,962743
CVE References: CVE-2015-4871,CVE-2015-7575,CVE-2015-8126,CVE-2015-8472,CVE-2016-0402,CVE-2016-0448,CVE-2016-0466,CVE-2016-0483,CVE-2016-0494
Sources used:
openSUSE Leap 42.1 (src):    java-1_7_0-openjdk-1.7.0.95-25.1, java-1_7_0-openjdk-bootstrap-1.7.0.95-25.1

Comment 12 Alexandros Toptsoglou 2020-04-23 11:58:18 UTC

Done