{"id":"USN-2672-1","summary":"nss vulnerabilities","details":"Karthikeyan Bhargavan discovered that NSS incorrectly handled state\ntransitions for the TLS state machine. If a remote attacker were able to\nperform a machine-in-the-middle attack, this flaw could be exploited to skip\nthe ServerKeyExchange message and remove the forward-secrecy property.\n(CVE-2015-2721)\n\nWatson Ladd discovered that NSS incorrectly handled Elliptical Curve\nCryptography (ECC) multiplication. A remote attacker could possibly use\nthis issue to spoof ECDSA signatures. (CVE-2015-2730)\n\nAs a security improvement, this update modifies NSS behaviour to reject DH\nkey sizes below 768 bits, preventing a possible downgrade attack.\n\nThis update also refreshes the NSS package to version 3.19.2 which includes\nthe latest CA certificate bundle.\n","modified":"2026-04-22T09:13:59.671816Z","published":"2015-07-09T17:32:22Z","related":["UBUNTU-CVE-2015-2721","UBUNTU-CVE-2015-2730"],"upstream":["CVE-2015-2721","CVE-2015-2730","UBUNTU-CVE-2015-2721","UBUNTU-CVE-2015-2730"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2672-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-2721"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-2730"}],"affected":[{"package":{"name":"nss","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/nss@2:3.19.2-0ubuntu0.14.04.1?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:3.19.2-0ubuntu0.14.04.1"}]}],"versions":["2:3.15.1-1ubuntu1","2:3.15.2-1","2:3.15.3-1","2:3.15.3.1-1","2:3.15.3.1-1.1","2:3.15.3.1-1.1ubuntu1","2:3.15.4-1ubuntu3","2:3.15.4-1ubuntu4","2:3.15.4-1ubuntu5","2:3.15.4-1ubuntu6","2:3.15.4-1ubuntu7","2:3.15.4-1ubuntu7.1","2:3.17-0ubuntu0.14.04.1","2:3.17.1-0ubuntu0.14.04.1","2:3.17.1-0ubuntu0.14.04.2","2:3.17.4-0ubuntu0.14.04.1"],"ecosystem_specific":{"binaries":[{"binary_name":"libnss3","binary_version":"2:3.19.2-0ubuntu0.14.04.1"},{"binary_name":"libnss3-1d","binary_version":"2:3.19.2-0ubuntu0.14.04.1"},{"binary_name":"libnss3-nssdb","binary_version":"2:3.19.2-0ubuntu0.14.04.1"},{"binary_name":"libnss3-tools","binary_version":"2:3.19.2-0ubuntu0.14.04.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2672-1.json","cves_map":{"cves":[{"severity":[{"score":"medium","type":"Ubuntu"}],"id":"CVE-2015-2721"},{"severity":[{"score":"medium","type":"Ubuntu"}],"id":"CVE-2015-2730"}],"ecosystem":"Ubuntu:14.04:LTS"}}}],"schema_version":"1.7.5"}