desktop-packages team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

I think that site is simply printing the warning based on the browser
user agent, and not actually testing for the vulnerability.

logjam is planned to be officially addressed in Firefox 39, so it will
probably change once firefox 39 gets pushed out.

** Package changed: openssl (Ubuntu) => firefox (Ubuntu)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1465014

Title:
  after update still vulnerable against LOGJAM

Status in firefox package in Ubuntu:
  New

Bug description:
  Hint: http://www.ubuntu.com/usn/usn-2639-1/

  " As a security improvement, this update also modifies OpenSSL
  behaviour to reject DH key sizes below 768 bits, preventing a possible
  downgrade attack. "

  I installed the update but the test site says, i'm still vulnerable (see attachted screen shot).
  Site: https://weakdh.org/

  - Xubuntu 15.04  --  up-to-date

  - openSSL 1.0.1f-1ubuntu11.4  --  up-to-date

  - Firefox 38.0+build3-0ubuntu0.15.04.1  --   up-to-date (even there are the versions 38.0.5 and 38.0.6 on the mozilla server available)
  - Chromium 43.0.2357.81-0ubuntu0.15.04.1.1170  --  up-to-date

  --------------------------------------------------------------------------------

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: openssl 1.0.1f-1ubuntu11.4
  ProcVersionSignature: Ubuntu 3.19.0-20.20-generic 3.19.8
  Uname: Linux 3.19.0-20-generic x86_64
  ApportVersion: 2.17.2-0ubuntu1.1
  Architecture: amd64
  Date: Sun Jun 14 15:34:46 2015
  InstallationDate: Installed on 2015-05-28 (16 days ago)
  InstallationMedia: Xubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422.1)
  SourcePackage: openssl
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1465014/+subscriptions