Firefox and Chromium still vulnerable against LOGJAM
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
NSS |
Fix Released
|
Medium
|
|||
firefox (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
nss (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Bug Description
Hint: http://
" As a security improvement, this update also modifies OpenSSL behaviour to reject DH key sizes below 768 bits, preventing a possible downgrade attack. "
I installed the update but the test site says, i'm still vulnerable (see attachted screen shot).
Site: https:/
- Xubuntu 15.04 -- up-to-date
- openSSL 1.0.1f-1ubuntu11.4 -- up-to-date
- Firefox 38.0+build3-
- Chromium 43.0.2357.
-------
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: openssl 1.0.1f-1ubuntu11.4
ProcVersionSign
Uname: Linux 3.19.0-20-generic x86_64
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: amd64
Date: Sun Jun 14 15:34:46 2015
InstallationDate: Installed on 2015-05-28 (16 days ago)
InstallationMedia: Xubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422.1)
SourcePackage: openssl
UpgradeStatus: No upgrade log present (probably fresh install)
description: | updated |
description: | updated |
Changed in firefox (Ubuntu): | |
importance: | Undecided → Critical |
Changed in nss (Ubuntu): | |
importance: | Undecided → Critical |
information type: | Public → Public Security |
Changed in nss (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in firefox (Ubuntu): | |
status: | Confirmed → Triaged |
no longer affects: | firefox (Ubuntu) |
Changed in firefox (Ubuntu): | |
status: | New → Confirmed |
Changed in firefox (Ubuntu): | |
status: | Confirmed → Triaged |
importance: | Undecided → Critical |
Changed in nss: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
summary: |
- after update still vulnerable against LOGJAM + Firefox and Chromium still vulnerable against LOGJAM |
I think that site is simply printing the warning based on the browser user agent, and not actually testing for the vulnerability.
logjam is planned to be officially addressed in Firefox 39, so it will probably change once firefox 39 gets pushed out.