[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#962008: RFS: ca-certificates/20200601 [RC] -- Common CA certificates

On 6/3/20 1:37 AM, Adrian Bunk wrote:

ca-certificates (20200601) unstable; urgency=medium
ca-certificates (20200601~deb10u1) buster-security; urgency=medium
ca-certificates (20200601~deb9u1) stretch-security; urgency=medium

Did you already agree with the security team (Cc'ed) that these should
also be published as DSA for stable and oldstable?

If yes, a security team member might be the best person to sponsor these
for unstable/buster-security/stretch-security.

If they shouldn't be treated as DSA, the uploads for stable and
oldstable have to be done differently.

BTW: What is the next expiry date of any certificate in ca-certificates?

(Note: 20200601 has been uploaded to unstable by Andrew Shadura <bugzilla@tut.by> - thank you for the upload, Andrew.)

Re: exipry dates:

Generally, expiry date has not been an issue remaining in the bundle until removal upstream, since the certification authorities have managed migration to new roots well and openssl>=1.1.1 handles this gracefully. This appears to have not been the case with AddTrust and older openssl<1.1.1 bug, as that fix was not backported, to the best of my understanding.

I would have to cycle through all the certs to see what dates are upcoming, but this is a new(old-openssl) problem, apparently. I don't have that bit of time at this very moment.

Re: security uploads:

I have received no reply from the security team, as of this message, so awaiting their OK/advice. Copy of email sent to team@security, since there is no secret info in here:

-------- Forwarded Message --------
Subject: ca-certificates: buster-security & stretch-security (and sid) uploads
Date: Mon, 1 Jun 2020 22:22:47 -0500
From: Michael Shuler <michael@pbandjelly.org>
To: team@security.debian.org

Hi Security Team,

I committed changes to to git for an RC security issue, as well as update the certificate bundle to current. This has been critical for a number of web services failing due to the expired certificate on older operating systems. Evidently this has been fixed in openssl-1.1.1, but never backported.

I have prepared unstable, and stable/oldstable security updates on mentors.


master sha for unstable (ca-certificates_20200601):
b3a8980b · Fix typo on AddTrust CN

RC bug fixed:
CA update:
Symantec roots explicitly blacklisted:

The master branch was merged to the debian-buster and debian-stretch branches (control file kept) and releases created for buster-security and stretch-security

debian-buster sha (ca-certificates_20200601~deb10u1):
5256b350 · Set buster-security for suite

debian-stretch sha (ca-certificates_20200601~deb10u1):
7bd8f941 · Set stretch-security for suite

I uploaded all 3 to mentors and they are ready to be sponsored:


bug#s for the mentors upload requests:


Please, let me know if I can provide any additional info.

Kind regards,

Reply to: