desktop-packages team mailing list archive

Thread
Date

[Bug 1465014] Re: Firefox and Chromium still vulnerable against LOGJAM

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Mathew Hodson <mathew.hodson@xxxxxxxxx>
Date: Thu, 09 Jul 2015 19:51:23 -0000
Reply-to: Bug 1465014 <1465014@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package firefox 39.0+build5-0ubuntu0.15.04.1

---
firefox (39.0+build5-0ubuntu0.15.04.1) vivid-security; urgency=medium

  * New upstream stable release (FIREFOX_39_0_BUILD5)
    - see USN-2656-1

  * Refresh patches
    - update debian/patches/unity-menubar.patch
    - update debian/patches/ubuntu-ua-string-changes.patch
  * Bundle our checkout of compare-locales in a different location, given
    that the Mozilla repo now contains a different version of it in the
    location we used previously
    - update debian/build/rules.mk
    - update debian/build/create-tarball.py

 -- Chris Coulson <chris.coulson@xxxxxxxxxxxxx>  Mon, 29 Jun 2015
11:47:44 +0100

** Changed in: firefox (Ubuntu)
       Status: Triaged => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-2721

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-2730

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1465014

Title:
  Firefox and Chromium still vulnerable against LOGJAM

Status in Network Security Services (NSS):
  Fix Released
Status in firefox package in Ubuntu:
  Fix Released
Status in nss package in Ubuntu:
  Fix Released

Bug description:
  Hint: http://www.ubuntu.com/usn/usn-2639-1/

  " As a security improvement, this update also modifies OpenSSL
  behaviour to reject DH key sizes below 768 bits, preventing a possible
  downgrade attack. "

  I installed the update but the test site says, i'm still vulnerable (see attachted screen shot).
  Site: https://weakdh.org/

  - Xubuntu 15.04  --  up-to-date

  - openSSL 1.0.1f-1ubuntu11.4  --  up-to-date

  - Firefox 38.0+build3-0ubuntu0.15.04.1  --   up-to-date (even there are the versions 38.0.5 and 38.0.6 on the mozilla server available)
  - Chromium 43.0.2357.81-0ubuntu0.15.04.1.1170  --  up-to-date

  --------------------------------------------------------------------------------

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: openssl 1.0.1f-1ubuntu11.4
  ProcVersionSignature: Ubuntu 3.19.0-20.20-generic 3.19.8
  Uname: Linux 3.19.0-20-generic x86_64
  ApportVersion: 2.17.2-0ubuntu1.1
  Architecture: amd64
  Date: Sun Jun 14 15:34:46 2015
  InstallationDate: Installed on 2015-05-28 (16 days ago)
  InstallationMedia: Xubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422.1)
  SourcePackage: openssl
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/nss/+bug/1465014/+subscriptions