[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#630232: marked as done (New signatures for CAcert-Class 3-Subroot-certificate)

Your message dated Wed, 26 Oct 2011 18:32:15 +0000
with message-id <E1RJ8Gt-0003D5-JT@franck.debian.org>
and subject line Bug#630232: fixed in ca-certificates 20111025
has caused the Debian Bug report #630232,
regarding New signatures for CAcert-Class 3-Subroot-certificate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

630232: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=630232
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: ca-certificates
Version: 20110421: all
Severity: important
Tags: security

CAcert has re-signed its Class 3-certificate with a new SHA256
signature. The formerly used MD5 signature is not seen as fully secure
any more by Mozilla (see: https://wiki.mozilla.org/CA:MD5and1024). Users
of Mozilla products like Firefox, and Thunderbird may experience errors
when these programs try to verify such certificates - others may follow.
Hence all users of CAcert's Class 3-certificates have to download and
install the newly signed certificates from CAcert's website.

The procedure in short:
1. Download the new Class 3 PKI Key from
2. SHA1-fingerprint must be:
3. Make it of use in the ca-certificates package

I've added the tag that this bug is a security vulnerability. Well, not
exactly in the package itself, and the file itself also not. But if not
updated users experience errors and may find a security issue has
occured when it has not, or will experience a security vulnerability
because they have called a bad site with a hacked MD5 signature. So I
consider this as a security issue of priority low. Nevertheless I would
definitely want this bugfix to be included in all supported Debian
versions from stable (oldstable if supported) to experimental.

In case of further questions please don't hesitate to contact me.

Best regards,
Alexander Bahlo, CAcert.

--- End Message ---
--- Begin Message ---
Source: ca-certificates
Source-Version: 20111025

We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive:

  to main/c/ca-certificates/ca-certificates_20111025.dsc
  to main/c/ca-certificates/ca-certificates_20111025.tar.gz
  to main/c/ca-certificates/ca-certificates_20111025_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 630232@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Michael Shuler <michael@pbandjelly.org> (supplier of updated ca-certificates package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.8
Date: Tue, 25 Oct 2011 09:12:10 -0500
Source: ca-certificates
Binary: ca-certificates
Architecture: source all
Version: 20111025
Distribution: unstable
Urgency: low
Maintainer: Michael Shuler <michael@pbandjelly.org>
Changed-By: Michael Shuler <michael@pbandjelly.org>
 ca-certificates - Common CA certificates
Closes: 537382 588219 619587 630232 643667
 ca-certificates (20111025) unstable; urgency=low
   [ Michael Shuler ]
   * Add 3.0 (native) source format
   * Add Vcs-Git/Browser fields
   * Add myself as new Maintainer with Uploaders  Closes: #588219
   * Update mozilla/certdata.txt to latest (NSS branch version
     Certificates added (+) and removed (-):
     + "AffirmTrust Commercial"
     + "AffirmTrust Networking"
     + "AffirmTrust Premium"
     + "AffirmTrust Premium ECC"
     + "A-Trust-nQual-03"
     + "Bogus Global Trustee"
     + "Bogus GMail"
     + "Bogus Google"
     + "Bogus kuix.de"
     + "Bogus live.com"
     + "Bogus Mozilla Addons"
     + "Bogus Skype"
     + "Bogus Yahoo 1"
     + "Bogus Yahoo 2"
     + "Bogus Yahoo 3"
     + "Certinomis - Autorité Racine"
     + "Certum Trusted Network CA"
     + "Explicitly Distrust DigiNotar Cyber CA"
     + "Explicitly Distrust DigiNotar Cyber CA 2nd"
     + "Explicitly Distrust DigiNotar Root CA"
     + "Explicitly Distrust DigiNotar Services 1024 CA"
     + "Explicitly Distrusted DigiNotar PKIoverheid"
     + "Explicitly Distrusted DigiNotar PKIoverheid G2"
     + "Go Daddy Root Certificate Authority - G2"
     + "Root CA Generalitat Valenciana"
     + "Starfield Root Certificate Authority - G2"
     + "Starfield Services Root Certificate Authority - G2"
     + "TWCA Root Certification Authority"
     - "AOL Time Warner Root Certification Authority 1"
     - "AOL Time Warner Root Certification Authority 2"
     - "DigiNotar Root CA"
     - "Entrust.net Global Secure Personal CA"
     - "Entrust.net Global Secure Server CA"
     - "Entrust.net Secure Personal CA"
     - "IPS Chained CAs root"
     - "IPS CLASE1 root"
     - "IPS CLASE3 root"
     - "IPS CLASEA1 root"
     - "IPS CLASEA3 root"
     - "IPS Timestamping root"
     - "Thawte Personal Freemail CA"
     - "Thawte Time Stamping CA"
   * "Bogus *" CAs above address Comodo MITM 03/11  Closes: #619587
   * Update CAcert-Class 3-Subroot-certificate  Closes: #630232
   [ Steve Langasek ]
   * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of
     the way before calling c_rehash, so that symlinks don't accidentally get
     pointed here, breaking openssl certificate verification  LP: #854927
   [ Loïc Minier ]
   * Drop bogus c_rehash on upgrades, which caused issue when
     ca-certificates.crt was still in place; instead, call
     update-ca-certificates --fresh on upgrades to this version, and
     the usual update-ca-certificates otherwise  Closes: #643667, #537382
 fd73ea4f9e085106bdf7979a29121fbf72b47dea 1747 ca-certificates_20111025.dsc
 3c9817265915a43e1a2cd8d88325df3904fbf5ee 298904 ca-certificates_20111025.tar.gz
 949ca2535b927753aa9edeb7afbedac9b793f630 185800 ca-certificates_20111025_all.deb
 3322f8df3c8edfba2a11b03b995f52b953810ddede324433c0ba285b0e3a0c13 1747 ca-certificates_20111025.dsc
 318bbf0f7c0a32adc10105f843148fd0e9e3b013de75645c02ea858652240924 298904 ca-certificates_20111025.tar.gz
 7d743b307ab31138176d6da4fff1f4c7f6bd246b42698662894bfb1b74e55647 185800 ca-certificates_20111025_all.deb
 0e3c65cb361b2710ce8626ec53cfeb1c 1747 misc optional ca-certificates_20111025.dsc
 dfd593c9f89e64351aae78b9be588696 298904 misc optional ca-certificates_20111025.tar.gz
 245d8b5bba947b8ae786e0f14459dd18 185800 misc optional ca-certificates_20111025_all.deb

Version: GnuPG v1.4.11 (GNU/Linux)


--- End Message ---

Reply to: