CVE-2018-12384 (retired)

Priority
Description
When handling a SSLv2-compatible ClientHello request, the server doesn't
generate a new random value but sends an all-zero value instead. This
results in full malleability of the ClientHello for SSLv2 used for TLS 1.2
in all versions prior to NSS 3.39. This does not impact TLS 1.3.
Assigned-to
mdeslaur
Package
Source: nss (LP Ubuntu Debian)
Upstream:released (3.36.5,3.39)
Ubuntu 12.04 ESM (Precise Pangolin):released (2:3.28.4-0ubuntu0.12.04.2)
Ubuntu 16.04 LTS (Xenial Xerus):released (2:3.28.4-0ubuntu0.16.04.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (2:3.35-2ubuntu2.1)
Ubuntu 18.10 (Cosmic Cuttlefish):released (2:3.36.1-1ubuntu1.1)
Ubuntu 19.04 (Disco Dingo):not-affected (2:3.39-1ubuntu1)
Patches:
Upstream:https://hg.mozilla.org/projects/nss/rev/46f9a1f40c3d (3.36)
Upstream:https://hg.mozilla.org/projects/nss/rev/f182a11fbe53 (3.36)
More Information

Updated: 2019-05-01 02:15:02 UTC (commit ddbf77d67f822f33f5eef6c1a01b12f207da981a)