Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

To: Mike Hommey <mh@glandium.org>
Cc: "Yves-Alexis Perez" <corsac@debian.org>, 639744@bugs.debian.org, Josh Triplett <josh@joshtriplett.org>, openssl@packages.debian.org
Subject: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
From: Raphael Geissert <geissert@debian.org>
Date: Sun, 4 Sep 2011 01:37:19 -0500
Message-id: <[🔎] 201109040137.21574.geissert@debian.org>
Reply-to: Raphael Geissert <geissert@debian.org>, 639744@bugs.debian.org
In-reply-to: <[🔎] 20110903064522.GA4715@glandium.org>
References: <20110829210357.26233.13731.reportbug@leaf> <[🔎] 20110903054023.GA3559@glandium.org> <[🔎] 20110903064522.GA4715@glandium.org>

On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
> Looking at the patches, this really is:
[...]

Ok, with the patches we got NSS covered, but we still need to do something for 
other users.

A first look at stuff we ship, this seems to be their current status:
* NSS:
ice* packages should be okay after the latest NSS update.

* OpenSSL
Nothing special here

* GnuTLS
Nothing special here

* chromium:
Even after the NSS update, it seems to be happy to use the Explicitly 
Distrusted certs.

* Qt:
Qt4 has built-in support for SSL via OpenSSL.
Qt 4.7 (wheezey+) uses certs from /etc/ssl
Qt 4.6 and older (lenny, squeeze) uses its own bundled list of certs. 
DigiNotar not included

Qt3 doesn't have built-in support for SSL.
Qt3-based software often use QCA, see below

* QCA
There are two versions: 1 for Qt3 and 2 for Qt4, both use OpenSSL as the 
backend for SSL.


Seems like it would be better if we also handled the issue at the libssl 
level. OpenSSL maintainers: does that sound doable?

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Reply to:

Follow-Ups:
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Mike Hommey <mh@glandium.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Mike Hommey <mh@glandium.org>
- Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Kurt Roeckx <kurt@roeckx.be>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Yves-Alexis Perez <corsac@debian.org>

References:
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Mike Hommey <mh@glandium.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Mike Hommey <mh@glandium.org>

Prev by Date: avifile_0.7.48~20090503.ds-6_amd64.changes ACCEPTED into unstable
Next by Date: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Previous by thread: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by thread: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Index(es):
- Date
- Thread