Bug 838879

Summary: Mozilla: Enable mitigation for CVE-2011-3389 (BEAST issue) in firefox/thunderbird
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gecko-bugs-nobody, jhorak, security-response-team, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-18 07:31:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 835033    

Description Huzaifa S. Sidhpurwala 2012-07-10 10:39:30 UTC 
The mitigation for CVE-2011-3389 flaw was implemented in the Network Security Services (NSS) library.  This mitigation was added in NSS version 3.13, and is enabled by default upstream.  Environment variable NSS_SSL_CBC_RANDOM_IV can be used to disable the mitigation when it causes failures to connect to servers that are intolerant to 1/(n-1) record splitting.  Setting the environment variable value to 0 disables the mitigation.

The nss packages in Red Hat Enterprise Linux 5 and 6 were updated to version 3.13.1 via RHBA-2012:0337:
  https://rhn.redhat.com/errata/RHBA-2012-0337.html

Unlike upstream versions, this mitigation is disabled by default in nss packages in Red Hat Enterprise Linux 5 and 6.

This bug is used to track enabling of this mitigation, by seting the NSS_SSL_CBC_RANDOM_IV environment variable in the firefox and thunderbird start-up scripts.

More details about the CVE-2011-3389 flaw at:
  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3389
Comment 2 Tomas Hoger 2012-07-16 13:12:51 UTC 
This mitigation is enabled by default in upstream Firefox versions since version 9.
Comment 3 errata-xmlrpc 2012-07-17 18:57:34 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1089 https://rhn.redhat.com/errata/RHSA-2012-1089.html
Comment 4 errata-xmlrpc 2012-07-17 19:27:57 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1088 https://rhn.redhat.com/errata/RHSA-2012-1088.html