Bugzilla – Bug 1106873
VUL-0: CVE-2018-12384: mozilla-nss: ServerHello.random is all zero when handling a v2-compatible ClientHello
Last modified: 2020-06-12 20:53:05 UTC
rh#1622089 A flaw was found with NSS library when compiled with a server application. A man-in-the-middle attacker could use this flaw in a passive replay attack. The most severe issue for confidentiality is for stream ciphers (and AES-GCM), as the server may encrypt different data with the exact same key stream and idempotency, the server may perform same action multiple times without proper authentication References: https://bugzilla.redhat.com/show_bug.cgi?id=1622089 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12384
this is a server side issue, so for use in apache2-mod_nss for us
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.5_release_notes
This is an autogenerated message for OBS integration: This bug (1106873) was mentioned in https://build.opensuse.org/request/show/657135 15.0+42.3 / mozilla-nss
openSUSE-SU-2018:4117-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1106873,1119069 CVE References: CVE-2018-12384,CVE-2018-12404 Sources used: openSUSE Leap 42.3 (src): mozilla-nss-3.36.6-54.1 openSUSE Leap 15.0 (src): mozilla-nss-3.36.6-lp150.2.6.1
SUSE-SU-2018:4235-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1097410,1106873,1119069,1119105 CVE References: CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): MozillaFirefox-60.4.0-3.21.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): MozillaFirefox-60.4.0-3.21.1 SUSE Linux Enterprise Module for Basesystem 15 (src): mozilla-nspr-4.20-3.3.2, mozilla-nss-3.40.1-3.7.2
SUSE-SU-2018:4236-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1097410,1106873,1119069,1119105 CVE References: CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 Sources used: SUSE OpenStack Cloud 7 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-SP4 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-SP3 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-LTSS (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Desktop 12-SP4 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Desktop 12-SP3 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Enterprise Storage 4 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE CaaS Platform ALL (src): mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE CaaS Platform 3.0 (src): mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1
SUSE-SU-2018:4236-2: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1097410,1106873,1119069,1119105 CVE References: CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
released