diff --git a/SOURCES/nss-lockcert-api-change.patch b/SOURCES/nss-lockcert-api-change.patch
deleted file mode 100644
index 0eba9a4..0000000
--- a/SOURCES/nss-lockcert-api-change.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-# HG changeset patch
-# User Franziskus Kiefer <franziskuskiefer@gmail.com>
-# Date 1486546862 -3600
-# Wed Feb 08 10:41:02 2017 +0100
-# Node ID 896e3eb3a79933a51886949c7adb67ef37b721c0
-# Parent a8d77070526320ad0edc7ba164ce97f10c4f7d94
-Bug 1278965 - tsan race in CERTCertificate, r=wtc,ttaubert
-
-diff --git a/lib/certdb/cert.h b/lib/certdb/cert.h
---- a/lib/certdb/cert.h
-+++ b/lib/certdb/cert.h
-@@ -1405,24 +1405,11 @@ void CERT_SetStatusConfig(CERTCertDBHand
- void CERT_LockCertRefCount(CERTCertificate *cert);
-
- /*
-- * Free the cert reference count lock
-+ * Release the cert reference count lock
- */
- void CERT_UnlockCertRefCount(CERTCertificate *cert);
-
- /*
-- * Acquire the cert trust lock
-- * There is currently one global lock for all certs, but I'm putting a cert
-- * arg here so that it will be easy to make it per-cert in the future if
-- * that turns out to be necessary.
-- */
--void CERT_LockCertTrust(const CERTCertificate *cert);
--
--/*
-- * Free the cert trust lock
-- */
--void CERT_UnlockCertTrust(const CERTCertificate *cert);
--
--/*
- * Digest the cert's subject public key using the specified algorithm.
- * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding
- * the tag, length, and number of unused bits) rather than the whole
-diff --git a/lib/certdb/certi.h b/lib/certdb/certi.h
---- a/lib/certdb/certi.h
-+++ b/lib/certdb/certi.h
-@@ -378,14 +378,27 @@ PRUint32 cert_CountDNSPatterns(CERTGener
- SECStatus cert_CheckLeafTrust(CERTCertificate* cert, SECCertUsage usage,
- unsigned int* failedFlags, PRBool* isTrusted);
-
- /*
- * Acquire the cert temp/perm lock
- */
- void CERT_LockCertTempPerm(const CERTCertificate* cert);
-
- /*
- * Release the temp/perm lock
- */
- void CERT_UnlockCertTempPerm(const CERTCertificate* cert);
-
-+/*
-+ * Acquire the cert trust lock
-+ * There is currently one global lock for all certs, but I'm putting a cert
-+ * arg here so that it will be easy to make it per-cert in the future if
-+ * that turns out to be necessary.
-+ */
-+void CERT_LockCertTrust(const CERTCertificate* cert);
-+
-+/*
-+ * Release the cert trust lock
-+ */
-+void CERT_UnlockCertTrust(const CERTCertificate* cert);
-+
- #endif /* _CERTI_H_ */
diff --git a/SOURCES/nss-ssl2-server-random.patch b/SOURCES/nss-ssl2-server-random.patch
new file mode 100644
index 0000000..0a242c8
--- /dev/null
+++ b/SOURCES/nss-ssl2-server-random.patch
@@ -0,0 +1,177 @@
+# HG changeset patch
+# User Martin Thomson <martin.thomson@gmail.com>
+# Date 1535458477 -7200
+# Tue Aug 28 14:14:37 2018 +0200
+# Branch NSS_3_36_BRANCH
+# Node ID 14bfa8390396e18ba5b35c7fb299a2c2023f6448
+# Parent 42bc6956fda39f6afe81b8de7afb542f3216bc7e
+Bug 1483128 - Move random generation, r?ekr
+
+Summary: This is the simpler fix. It's making the bug pretty obvious though.
+
+Reviewers: ekr, kaie
+
+Subscribers: HubertKario, mt, ekr, beurdouche, kaie, jcj, ueno, wtc, rrelyea
+
+Tags: #secure-revision, PHID-PROJ-ffhf7tdvqze7zrdn6dh3
+
+Bug #: 1483128
+
+Differential Revision: https://phabricator.services.mozilla.com/D4282
+
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -8082,14 +8082,6 @@ ssl3_HandleClientHello(sslSocket *ss, PR
+ }
+ }
+
+- /* Generate the Server Random now so it is available
+- * when we process the ClientKeyShare in TLS 1.3 */
+- rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random);
+- if (rv != SECSuccess) {
+- errCode = SSL_ERROR_GENERATE_RANDOM_FAILURE;
+- goto loser;
+- }
+-
+ #ifndef TLS_1_3_DRAFT_VERSION
+ /*
+ * [draft-ietf-tls-tls13-11 Section 6.3.1.1].
+@@ -8878,6 +8870,7 @@ ssl_ConstructServerHello(sslSocket *ss,
+ SECStatus rv;
+ SSL3ProtocolVersion version;
+ sslSessionID *sid = ss->sec.ci.sid;
++ const PRUint8 *random;
+
+ if (IS_DTLS(ss) && ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
+ version = dtls_TLSVersionToDTLSVersion(ss->version);
+@@ -8889,9 +8882,17 @@ ssl_ConstructServerHello(sslSocket *ss,
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+- /* Random already generated in ssl3_HandleClientHello */
+- rv = sslBuffer_Append(messageBuf, helloRetry ? ssl_hello_retry_random : ss->ssl3.hs.server_random,
+- SSL3_RANDOM_LENGTH);
++
++ if (helloRetry) {
++ random = ssl_hello_retry_random;
++ } else {
++ rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random);
++ if (rv != SECSuccess) {
++ return SECFailure;
++ }
++ random = ss->ssl3.hs.server_random;
++ }
++ rv = sslBuffer_Append(messageBuf, random, SSL3_RANDOM_LENGTH);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+# HG changeset patch
+# User Martin Thomson <martin.thomson@gmail.com>
+# Date 1535458545 -7200
+# Tue Aug 28 14:15:45 2018 +0200
+# Node ID eee3954f57355ad04bc32f1c2dfe25d7e13a3382
+# Parent 4c7ffcfd43f613eb08ee7b4a75dbeb1a7fb540ce
+Bug 1483128 - Test that randoms aren't fixed, r?ekr
+
+Summary:
+We can't easily test that ClientHello.random and ServerHello.random are truly
+random in these tests, but we can catch mistakes the likes of which produced
+this bug. This just runs a few handshakes and tests that none of the random
+values are equal to any other, or they are equal to zero.
+
+Reviewers: ekr
+
+Subscribers: mt, ekr, beurdouche, kaie, jcj, ueno, rrelyea, wtc, HubertKario
+
+Tags: #secure-revision, PHID-PROJ-ffhf7tdvqze7zrdn6dh3
+
+Bug #: 1483128
+
+Differential Revision: https://phabricator.services.mozilla.com/D4413
+
+diff --git a/gtests/ssl_gtest/ssl_loopback_unittest.cc b/gtests/ssl_gtest/ssl_loopback_unittest.cc
+--- a/gtests/ssl_gtest/ssl_loopback_unittest.cc
++++ b/gtests/ssl_gtest/ssl_loopback_unittest.cc
+@@ -541,6 +541,47 @@ TEST_F(TlsConnectTest, OneNRecordSplitti
+ EXPECT_EQ(ExpectedCbcLen(20), records->record(2).buffer.len());
+ }
+
++// We can't test for randomness easily here, but we can test that we don't
++// produce a zero value, or produce the same value twice. There are 5 values
++// here: two ClientHello.random, two ServerHello.random, and one zero value.
++// Matrix them and fail if any are the same.
++TEST_P(TlsConnectGeneric, CheckRandoms) {
++ ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
++
++ static const size_t random_len = 32;
++ uint8_t crandom1[random_len], srandom1[random_len];
++ uint8_t z[random_len] = {0};
++
++ auto ch = MakeTlsFilter<TlsHandshakeRecorder>(client_, ssl_hs_client_hello);
++ auto sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
++ Connect();
++ ASSERT_TRUE(ch->buffer().len() > (random_len + 2));
++ ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
++ memcpy(crandom1, ch->buffer().data() + 2, random_len);
++ memcpy(srandom1, sh->buffer().data() + 2, random_len);
++ EXPECT_NE(0, memcmp(crandom1, srandom1, random_len));
++ EXPECT_NE(0, memcmp(crandom1, z, random_len));
++ EXPECT_NE(0, memcmp(srandom1, z, random_len));
++
++ Reset();
++ ch = MakeTlsFilter<TlsHandshakeRecorder>(client_, ssl_hs_client_hello);
++ sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
++ Connect();
++ ASSERT_TRUE(ch->buffer().len() > (random_len + 2));
++ ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
++ const uint8_t* crandom2 = ch->buffer().data() + 2;
++ const uint8_t* srandom2 = sh->buffer().data() + 2;
++
++ EXPECT_NE(0, memcmp(crandom2, srandom2, random_len));
++ EXPECT_NE(0, memcmp(crandom2, z, random_len));
++ EXPECT_NE(0, memcmp(srandom2, z, random_len));
++
++ EXPECT_NE(0, memcmp(crandom1, crandom2, random_len));
++ EXPECT_NE(0, memcmp(crandom1, srandom2, random_len));
++ EXPECT_NE(0, memcmp(srandom1, crandom2, random_len));
++ EXPECT_NE(0, memcmp(srandom1, srandom2, random_len));
++}
++
+ INSTANTIATE_TEST_CASE_P(
+ GenericStream, TlsConnectGeneric,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
+diff --git a/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc b/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
+--- a/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
++++ b/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
+@@ -350,6 +350,30 @@ TEST_P(SSLv2ClientHelloTest, RequireSafe
+ Connect();
+ }
+
++TEST_P(SSLv2ClientHelloTest, CheckServerRandom) {
++ ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
++ SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
++
++ static const size_t random_len = 32;
++ uint8_t srandom1[random_len];
++ uint8_t z[random_len] = {0};
++
++ auto sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
++ Connect();
++ ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
++ memcpy(srandom1, sh->buffer().data() + 2, random_len);
++ EXPECT_NE(0, memcmp(srandom1, z, random_len));
++
++ Reset();
++ sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
++ Connect();
++ ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
++ const uint8_t* srandom2 = sh->buffer().data() + 2;
++
++ EXPECT_NE(0, memcmp(srandom2, z, random_len));
++ EXPECT_NE(0, memcmp(srandom1, srandom2, random_len));
++}
++
+ // Connect to the server with TLS 1.1, signalling that this is a fallback from
+ // a higher version. As the server doesn't support anything higher than TLS 1.1
+ // it must accept the connection.
diff --git a/SOURCES/nss-tests-ssl-normal-normal.patch b/SOURCES/nss-tests-ssl-normal-normal.patch
new file mode 100644
index 0000000..aa5346a
--- /dev/null
+++ b/SOURCES/nss-tests-ssl-normal-normal.patch
@@ -0,0 +1,20 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1520875743 -3600
+# Mon Mar 12 18:29:03 2018 +0100
+# Node ID 1053cc7b45a2dfe4a44558f0a0e7c4b3f0e9c6ec
+# Parent be88b7a4fb599a367a13688a9790d3010f3b3692
+Bug 1444960, Exercise SSL tests which only run under non-FIPS, r=kaie
+
+diff --git a/tests/all.sh b/tests/all.sh
+--- a/tests/all.sh
++++ b/tests/all.sh
+@@ -309,7 +309,7 @@ TESTS=${NSS_TESTS:-$tests}
+
+ ALL_TESTS=${TESTS}
+
+-nss_ssl_tests="crl iopr policy"
++nss_ssl_tests="crl iopr policy normal_normal"
+ if [ $NO_INIT_SUPPORT -eq 0 ]; then
+ nss_ssl_tests="$nss_ssl_tests fips_normal normal_fips"
+ fi
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 984a6fe..d117328 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -27,7 +27,7 @@
Summary: Network Security Services
Name: nss
Version: 3.36.0
-Release: 5%{?dist}
+Release: 7%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -135,9 +135,10 @@ Patch139: nss-modutil-skip-changepw-fips.patch
# Work around for yum
# https://bugzilla.redhat.com/show_bug.cgi?id=1469526
Patch141: nss-sysinit-getenv.patch
-# To revert the change in:
-# https://hg.mozilla.org/projects/nss/rev/896e3eb3a799
-Patch142: nss-lockcert-api-change.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1483128
+Patch142: nss-ssl2-server-random.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1444960
+Patch143: nss-tests-ssl-normal-normal.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -246,7 +247,8 @@ pushd nss
%patch138 -p1 -b .devslot-reinsert
%patch139 -p1 -b .modutil-skip-changepw-fips
%patch141 -p1 -b .sysinit-getenv
-%patch142 -p1 -R -b .lockcert-api-change
+%patch142 -p1 -b .ssl2-server-random
+%patch143 -p1 -b .tests-ssl-normal-normal
popd
#########################################################
@@ -847,6 +849,14 @@ fi
%changelog
+* Wed Aug 29 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-7
+- Backport upstream fix for CVE-2018-12384
+- Remove nss-lockcert-api-change.patch, which turned out to be a
+ mistake (the symbol was not exported from libnss)
+
+* Thu Apr 19 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-6
+- Exercise SSL tests which only run under non-FIPS setting
+
* Wed Apr 18 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-5
- Restore CERT_LockCertTrust and CERT_UnlockCertTrust back in cert.h