CVE-2015-4000

Name	CVE-2015-4000
Description	The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-247-1, DLA-303-1, DLA-507-1, DSA-3287-1, DSA-3300-1, DSA-3316-1, DSA-3324-1, DSA-3339-1, DSA-3688-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
icedove (PTS)	jessie	1:52.3.0-4~deb8u2	fixed
nss (PTS)	jessie, jessie (lts)	2:3.26-1+debu8u19	fixed
	stretch (security)	2:3.26.2-1.1+deb9u5	fixed
	stretch (lts), stretch	2:3.26.2-1.1+deb9u8	fixed
	buster, buster (lts)	2:3.42.1-1+deb10u9	fixed
	buster (security)	2:3.42.1-1+deb10u8	fixed
	bullseye	2:3.61-1+deb11u3	fixed
	bullseye (security)	2:3.61-1+deb11u4	fixed
	bookworm	2:3.87.1-1	fixed
	bookworm (security)	2:3.87.1-1+deb12u1	fixed
	trixie	2:3.105-2	fixed
	sid	2:3.106-1	fixed
openjdk-7 (PTS)	jessie, jessie (lts)	7u321-2.6.28-0+deb8u1	fixed
openjdk-8 (PTS)	jessie, jessie (lts)	8u432-b06-2~deb8u1	fixed
	stretch (security)	8u332-ga-1~deb9u1	fixed
	stretch (lts), stretch	8u432-b06-2~deb9u1	fixed
	sid	8u432-b06-2	fixed
openssl (PTS)	jessie, jessie (lts)	1.0.1t-1+deb8u21	fixed
	stretch (security)	1.1.0l-1~deb9u6	fixed
	stretch (lts), stretch	1.1.0l-1~deb9u9	fixed
	buster (security), buster, buster (lts)	1.1.1n-0+deb10u6	fixed
	bullseye	1.1.1w-0+deb11u1	fixed
	bullseye (security)	1.1.1w-0+deb11u2	fixed
	bookworm	3.0.15-1~deb12u1	fixed
	bookworm (security)	3.0.14-1~deb12u2	fixed
	sid, trixie	3.3.2-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
icedove	source	wheezy	31.8.0-1~deb7u1	DSA-3324-1
icedove	source	jessie	31.8.0-1~deb8u1	DSA-3324-1
icedove	source	(unstable)	38.1.0-1
iceweasel	source	wheezy	31.8.0esr-1~deb7u1	DSA-3300-1
iceweasel	source	jessie	31.8.0esr-1~deb8u1	DSA-3300-1
nss	source	wheezy	2:3.14.5-1+deb7u7	DLA-507-1
nss	source	jessie	2:3.26-1+debu8u1	DSA-3688-1
nss	source	(unstable)	2:3.19.1-1
openjdk-6	source	experimental	6b36-1.13.8-1
openjdk-6	source	squeeze	6b36-1.13.8-1~deb6u1	DLA-303-1
openjdk-6	source	wheezy	6b36-1.13.8-1~deb7u1	DSA-3339-1
openjdk-6	source	(unstable)	(unfixed)
openjdk-7	source	wheezy	7u79-2.5.6-1~deb7u1	DSA-3316-1
openjdk-7	source	jessie	7u79-2.5.6-1~deb8u1	DSA-3316-1
openjdk-7	source	(unstable)	7u79-2.5.6-1
openjdk-8	source	(unstable)	8u66-b01-1
openssl	source	squeeze	0.9.8o-4squeeze21	DLA-247-1
openssl	source	wheezy	1.0.1e-2+deb7u17	DSA-3287-1
openssl	source	jessie	1.0.1k-3+deb8u1	DSA-3287-1
openssl	source	(unstable)	1.0.2b-1

Notes

[squeeze] - nss <no-dsa> (no point in switching min key size so close to EOL)
CVE assigned specific to vulnerability in the TLS protocol that was
disclosed in section 3.2 of the
https://weakdh.org/imperfect-forward-secrecy.pdf paper.
Some links on the status of various implementations/protocols:
IKE/IPSEC: https://nohats.ca/wordpress/blog/2015/05/20/weakdh-and-ike-ipsec/
OpenSSL: https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
OpenSSL 1.0.2b-1 limits it to 768 bit, future versions will increase the limit
GNUTLS: http://lists.gnutls.org/pipermail/gnutls-devel/2015-May/007597.html
NSS/iceweasel/icedove: https://www.mozilla.org/en-US/security/advisories/mfsa2015-70/
NSS patch increasing limit to 1023 bits: https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24