Bug#628780: Wrong hash link to cacert.org.pem and wron certificat hash handling at all
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package: ca-certificates
Version: 20110421
Severity: important
The current links to the cacert.org.pem are 5ed36f99.0 and 99d0fa06.0.
Thie first certificate in that file is correct 99d0fa06.0 but the second
certificate hash is 590d426f.0 _not_ 5ed36f99.0.
As the second is the most often used certificate, connections to sites
using cacert certificates gets not trusted.
It seems to be a whole mess having two certificates in one file. That
would work if the link is created properly but c_rehash will only create
a link to the first certificate in file. Also if a certificate changes
the old link will not be updated (the 5ed36f99.0 seems to be a hash link
from a old certificate in the first position of this file).
As this is a generic problem of certificate handling in debian I set the
severity to important.
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (800, 'unstable'), (700, 'stable'), (60, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38.6 (SMP w/8 CPU cores)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to de_DE)
Shell: /bin/sh linked to /bin/dash
Versions of packages ca-certificates depends on:
ii debconf [debconf-2.0] 1.5.39 Debian configuration management sy
ii openssl 1.0.0d-2 Secure Socket Layer (SSL) binary a
ca-certificates recommends no packages.
ca-certificates suggests no packages.
- -- debconf information:
* ca-certificates/enable_crts: brasil.gov.br/brasil.gov.br.crt, cacert.org/cacert.org.crt, debconf.org/ca.crt, gouv.fr/cert_igca_dsa.crt, gouv.fr/cert_igca_rsa.crt, mozilla/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt, mozilla/AddTrust_External_Root.crt, mozilla/AddTrust_Low-Value_Services_Root.crt, mozilla/AddTrust_Public_Services_Root.crt, mozilla/AddTrust_Qualified_Certificates_Root.crt, mozilla/Baltimore_CyberTrust_Root.crt, mozilla/COMODO_Certification_Authority.crt, mozilla/COMODO_ECC_Certification_Authority.crt, mozilla/Camerfirma_Chambers_of_Commerce_Root.crt, mozilla/Camerfirma_Global_Chambersign_Root.crt, mozilla/Certplus_Class_2_Primary_CA.crt, mozilla/Certum_Root_CA.crt, mozilla/Comodo_AAA_Services_root.crt, mozilla/Comodo_Secure_Services_root.crt, mozilla/Comodo_Trusted_Services_root.crt, mozilla/DST_ACES_CA_X6.crt, mozilla/DST_Root_CA_X3.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Global_Root_CA.crt, mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DigiNotar_Root_CA.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_2.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_4.crt, mozilla/Entrust.net_Global_Secure_Personal_CA.crt, mozilla/Entrust.net_Global_Secure_Server_CA.crt, mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, mozilla/Entrust.net_Secure_Personal_CA.crt, mozilla/Entrust.net_Secure_Server_CA.crt, mozilla/Entrust_Root_Certification_Authority.crt, mozilla/Equifax_Secure_CA.crt, mozilla/Equifax_Secure_Global_eBusiness_CA.crt, mozilla/Equifax_Secure_eBusiness_CA_1.crt, mozilla/Equifax_Secure_eBusiness_CA_2.crt, mozilla/Firmaprofesional_Root_CA.crt, mozilla/GTE_CyberTrust_Global_Root.crt, mozilla/GTE_CyberTrust_Root_CA.crt, mozilla/GeoTrust_Global_CA.crt, mozilla/GeoTrust_Global_CA_2.crt, mozilla/GeoTrust_Primary_Certification_Authority.crt, mozilla/GeoTrust_Universal_CA.crt, mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GlobalSign_Root_CA.crt, mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/IPS_CLASE1_root.crt, mozilla/IPS_CLASE3_root.crt, mozilla/IPS_CLASEA1_root.crt, mozilla/IPS_CLASEA3_root.crt, mozilla/IPS_Chained_CAs_root.crt, mozilla/IPS_Servidores_root.crt, mozilla/IPS_Timestamping_root.crt, mozilla/NetLock_Business_=Class_B=_Root.crt, mozilla/NetLock_Express_=Class_C=_Root.crt, mozilla/NetLock_Notary_=Class_A=_Root.crt, mozilla/NetLock_Qualified_=Class_QA=_Root.crt, mozilla/Network_Solutions_Certificate_Authority.crt, mozilla/QuoVadis_Root_CA.crt, mozilla/QuoVadis_Root_CA_2.crt, mozilla/QuoVadis_Root_CA_3.crt, mozilla/RSA_Root_Certificate_1.crt, mozilla/RSA_Security_1024_v3.crt, mozilla/RSA_Security_2048_v3.crt, mozilla/SecureTrust_CA.crt, mozilla/Secure_Global_CA.crt, mozilla/Security_Communication_Root_CA.crt, mozilla/Sonera_Class_1_Root_CA.crt, mozilla/Sonera_Class_2_Root_CA.crt, mozilla/Staat_der_Nederlanden_Root_CA.crt, mozilla/Starfield_Class_2_CA.crt, mozilla/StartCom_Certification_Authority.crt, mozilla/StartCom_Ltd..crt, mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Platinum_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/Swisscom_Root_CA_1.crt, mozilla/TC_TrustCenter__Germany__Class_2_CA.crt, mozilla/TC_TrustCenter__Germany__Class_3_CA.crt, mozilla/TDC_Internet_Root_CA.crt, mozilla/TDC_OCES_Root_CA.crt, mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt, mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt, mozilla/Taiwan_GRCA.crt, mozilla/Thawte_Personal_Basic_CA.crt, mozilla/Thawte_Personal_Freemail_CA.crt, mozilla/Thawte_Personal_Premium_CA.crt, mozilla/Thawte_Premium_Server_CA.crt, mozilla/Thawte_Server_CA.crt, mozilla/Thawte_Time_Stamping_CA.crt, mozilla/UTN-USER_First-Network_Applications.crt, mozilla/UTN_DATACorp_SGC_Root_CA.crt, mozilla/UTN_USERFirst_Email_Root_CA.crt, mozilla/UTN_USERFirst_Hardware_Root_CA.crt, mozilla/ValiCert_Class_1_VA.crt, mozilla/ValiCert_Class_2_VA.crt, mozilla/Visa_International_Global_Root_2.crt, mozilla/Visa_eCommerce_Root.crt, mozilla/WellsSecure_Public_Root_Certificate_Authority.crt, mozilla/Wells_Fargo_Root_CA.crt, mozilla/XRamp_Global_CA_Root.crt, mozilla/beTRUSTed_Root_CA-Baltimore_Implementation.crt, mozilla/beTRUSTed_Root_CA.crt, mozilla/beTRUSTed_Root_CA_-_Entrust_Implementation.crt, mozilla/beTRUSTed_Root_CA_-_RSA_Implementation.crt, mozilla/thawte_Primary_Root_CA.crt, signet.pl/signet_ca1_pem.crt, signet.pl/signet_ca2_pem.crt, signet.pl/signet_ca3_pem.crt, signet.pl/signet_ocspklasa2_pem.crt, signet.pl/signet_ocspklasa3_pem.crt, signet.pl/signet_pca2_pem.crt, signet.pl/signet_pca3_pem.crt, signet.pl/signet_rootca_pem.crt, signet.pl/signet_tsa1_pem.crt, spi-inc.org/spi-ca-2003.crt, spi-inc.org/spi-cacert-2008.crt, telesec.de/deutsche-telekom-root-ca-2.crt,
ca-certificates/new_crts:
* ca-certificates/trust_new_crts: ask
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQGcBAEBCgAGBQJN5gx5AAoJEK8RO3RE9oVx0JAMAIARiOLMAYKp+fdDDmqhRITV
dIWZksPdgFu9Zt3nXfhRWttHS7WBGlidKjlsjMVK/vjicHc9FfSq2mvxgN/OcSc1
aIF261a3qPUCr+l1jIopoYbFl+Ss1HrE3vDFsFNOsJL5L1HMg5WVfFztPyDgIqzu
P9XM8fXF10/rh4NrDWiFHKLTFNLnMFEsIJQrwKMGHBc8ky763muJATjMh9TTpoOs
g09xQHDNocG1NN/V1VoLmblCFFi0SWphNrmA2Gx8P4GoAOhTln+fTZ/g3iZJUSwp
vjD5sqQ+WiyVTU8tZCTbMzJa01W9DxFa7tCFBexVj8Y5xlF9eNM5g1+8YOcR/nMe
6lQJB95Nxc3nNg95czDPbqRKfdcHiZWVslnnQAeOaDSzhGTGyb6r2ahbuxOt3vV1
b0qyR3l54zMaw81hr7ENggnjFxOQOPJUxp7VTRXdUKIl1CJ+fW16cM2dGVY7ij7p
S+hQNhTGrN0Li6EIXr+y1l6H+7eTWQYTKL0VQmRKSQ==
=yEVf
-----END PGP SIGNATURE-----
Reply to: