CVE-2018-12384

Priority
Description
When handling a SSLv2-compatible ClientHello request, the server doesn't
generate a new random value but sends an all-zero value instead. This
results in full malleability of the ClientHello for SSLv2 used for TLS 1.2
in all versions prior to NSS 3.39. This does not impact TLS 1.3.
Assigned-to
mdeslaur
Notes
Package
Source: nss (LP Ubuntu Debian)
Upstream:released (3.36.5,3.39)
Ubuntu 12.04 ESM (Precise Pangolin):released (2:3.28.4-0ubuntu0.12.04.2)
Ubuntu 14.04 ESM (Trusty Tahr):released (2:3.28.4-0ubuntu0.14.04.4)
Ubuntu 16.04 LTS (Xenial Xerus):released (2:3.28.4-0ubuntu0.16.04.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (2:3.35-2ubuntu2.1)
Patches:
Upstream:https://hg.mozilla.org/projects/nss/rev/46f9a1f40c3d (3.36)
Upstream:https://hg.mozilla.org/projects/nss/rev/f182a11fbe53 (3.36)
More Information

Updated: 2020-01-29 20:01:46 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)