CVE-2015-4000

NameCVE-2015-4000
DescriptionThe TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-247-1, DLA-303-1, DLA-507-1, DSA-3287-1, DSA-3300-1, DSA-3316-1, DSA-3324-1, DSA-3339-1, DSA-3688-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icedove (PTS)jessie1:52.3.0-4~deb8u2fixed
nss (PTS)jessie, jessie (lts)2:3.26-1+debu8u19fixed
stretch (security)2:3.26.2-1.1+deb9u5fixed
stretch (lts), stretch2:3.26.2-1.1+deb9u8fixed
buster, buster (lts)2:3.42.1-1+deb10u9fixed
buster (security)2:3.42.1-1+deb10u8fixed
bullseye2:3.61-1+deb11u3fixed
bullseye (security)2:3.61-1+deb11u4fixed
bookworm2:3.87.1-1fixed
bookworm (security)2:3.87.1-1+deb12u1fixed
sid, trixie2:3.106-1fixed
openjdk-7 (PTS)jessie, jessie (lts)7u321-2.6.28-0+deb8u1fixed
openjdk-8 (PTS)jessie, jessie (lts)8u432-b06-2~deb8u1fixed
stretch (security)8u332-ga-1~deb9u1fixed
stretch (lts), stretch8u432-b06-2~deb9u1fixed
sid8u432-b06-2fixed
openssl (PTS)jessie, jessie (lts)1.0.1t-1+deb8u22fixed
stretch (security)1.1.0l-1~deb9u6fixed
stretch (lts), stretch1.1.0l-1~deb9u10fixed
buster, buster (lts)1.1.1n-0+deb10u7fixed
buster (security)1.1.1n-0+deb10u6fixed
bullseye1.1.1w-0+deb11u1fixed
bullseye (security)1.1.1w-0+deb11u2fixed
bookworm3.0.15-1~deb12u1fixed
bookworm (security)3.0.14-1~deb12u2fixed
sid, trixie3.3.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
icedovesourcewheezy31.8.0-1~deb7u1DSA-3324-1
icedovesourcejessie31.8.0-1~deb8u1DSA-3324-1
icedovesource(unstable)38.1.0-1
iceweaselsourcewheezy31.8.0esr-1~deb7u1DSA-3300-1
iceweaselsourcejessie31.8.0esr-1~deb8u1DSA-3300-1
nsssourcewheezy2:3.14.5-1+deb7u7DLA-507-1
nsssourcejessie2:3.26-1+debu8u1DSA-3688-1
nsssource(unstable)2:3.19.1-1
openjdk-6sourceexperimental6b36-1.13.8-1
openjdk-6sourcesqueeze6b36-1.13.8-1~deb6u1DLA-303-1
openjdk-6sourcewheezy6b36-1.13.8-1~deb7u1DSA-3339-1
openjdk-6source(unstable)(unfixed)
openjdk-7sourcewheezy7u79-2.5.6-1~deb7u1DSA-3316-1
openjdk-7sourcejessie7u79-2.5.6-1~deb8u1DSA-3316-1
openjdk-7source(unstable)7u79-2.5.6-1
openjdk-8source(unstable)8u66-b01-1
opensslsourcesqueeze0.9.8o-4squeeze21DLA-247-1
opensslsourcewheezy1.0.1e-2+deb7u17DSA-3287-1
opensslsourcejessie1.0.1k-3+deb8u1DSA-3287-1
opensslsource(unstable)1.0.2b-1

Notes

[squeeze] - nss <no-dsa> (no point in switching min key size so close to EOL)
CVE assigned specific to vulnerability in the TLS protocol that was
disclosed in section 3.2 of the
https://weakdh.org/imperfect-forward-secrecy.pdf paper.
Some links on the status of various implementations/protocols:
IKE/IPSEC: https://nohats.ca/wordpress/blog/2015/05/20/weakdh-and-ike-ipsec/
OpenSSL: https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
OpenSSL 1.0.2b-1 limits it to 768 bit, future versions will increase the limit
GNUTLS: http://lists.gnutls.org/pipermail/gnutls-devel/2015-May/007597.html
NSS/iceweasel/icedove: https://www.mozilla.org/en-US/security/advisories/mfsa2015-70/
NSS patch increasing limit to 1023 bits: https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24

Search for package or bug name: Reporting problems