This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 838879 - Mozilla: Enable mitigation for CVE-2011-3389 (BEAST issue) in firefox/thunderbird
Mozilla: Enable mitigation for CVE-2011-3389 (BEAST issue) in firefox/thunder...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120717,repor...
: Security
Depends On:
Blocks: 835033
  Show dependency treegraph
 
Reported: 2012-07-10 06:39 EDT by Huzaifa S. Sidhpurwala
Modified: 2012-07-18 03:31 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-18 03:31:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2012-07-10 06:39:30 EDT
The mitigation for CVE-2011-3389 flaw was implemented in the Network Security Services (NSS) library.  This mitigation was added in NSS version 3.13, and is enabled by default upstream.  Environment variable NSS_SSL_CBC_RANDOM_IV can be used to disable the mitigation when it causes failures to connect to servers that are intolerant to 1/(n-1) record splitting.  Setting the environment variable value to 0 disables the mitigation.

The nss packages in Red Hat Enterprise Linux 5 and 6 were updated to version 3.13.1 via RHBA-2012:0337:
  https://rhn.redhat.com/errata/RHBA-2012-0337.html

Unlike upstream versions, this mitigation is disabled by default in nss packages in Red Hat Enterprise Linux 5 and 6.

This bug is used to track enabling of this mitigation, by seting the NSS_SSL_CBC_RANDOM_IV environment variable in the firefox and thunderbird start-up scripts.

More details about the CVE-2011-3389 flaw at:
  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3389
Comment 2 Tomas Hoger 2012-07-16 09:12:51 EDT
This mitigation is enabled by default in upstream Firefox versions since version 9.
Comment 3 errata-xmlrpc 2012-07-17 14:57:34 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1089 https://rhn.redhat.com/errata/RHSA-2012-1089.html
Comment 4 errata-xmlrpc 2012-07-17 15:27:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1088 https://rhn.redhat.com/errata/RHSA-2012-1088.html

Note You need to log in before you can comment on or make changes to this bug.