[3.3] nss: security issues (CVE-2015-7575, CVE-2016-1938)
(CVE-2016-1938) Calculations with mp_div and mp_exptmod in Network Security Services
The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network
Security Services (NSS) before 3.21,
as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for
remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.
Fixed in: NSS 3.21
Commit with the fix:
(CVE-2015-7575) Prevent MD5 Downgrade in TLS 1.2 Signatures.
Mozilla Network Security Services (NSS) before 3.20.2, as used in
Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject
MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake
Protocol traffic, which makes it easier for man-in-the-middle attackers to
spoof servers by triggering a collision.
Fixes in: NSS 3.20.2
(from redmine: issue id 5184, created on 2016-02-24, closed on 2016-03-01)
main/nss: security upgrade to 3.20.2 (CVE-2015-7575, CVE-2016-1938). Fixes #5184