Bug#630232: marked as done (New signatures for CAcert-Class 3-Subroot-certificate)
Your message dated Wed, 26 Oct 2011 18:32:15 +0000
with message-id <E1RJ8Gt-0003D5-JT@franck.debian.org>
and subject line Bug#630232: fixed in ca-certificates 20111025
has caused the Debian Bug report #630232,
regarding New signatures for CAcert-Class 3-Subroot-certificate
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
630232: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=630232
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: New signatures for CAcert-Class 3-Subroot-certificate
- From: Alexander Bahlo <alex@cacert.org>
- Date: Sun, 12 Jun 2011 16:52:53 +0200
- Message-id: <4DF4D2C5.2020708@cacert.org>
Package: ca-certificates
Version: 20110421: all
Severity: important
Tags: security
CAcert has re-signed its Class 3-certificate with a new SHA256
signature. The formerly used MD5 signature is not seen as fully secure
any more by Mozilla (see: https://wiki.mozilla.org/CA:MD5and1024). Users
of Mozilla products like Firefox, and Thunderbird may experience errors
when these programs try to verify such certificates - others may follow.
Hence all users of CAcert's Class 3-certificates have to download and
install the newly signed certificates from CAcert's website.
The procedure in short:
1. Download the new Class 3 PKI Key from
http://www.cacert.org/index.php?id=3
2. SHA1-fingerprint must be:
AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
3. Make it of use in the ca-certificates package
I've added the tag that this bug is a security vulnerability. Well, not
exactly in the package itself, and the file itself also not. But if not
updated users experience errors and may find a security issue has
occured when it has not, or will experience a security vulnerability
because they have called a bad site with a hacked MD5 signature. So I
consider this as a security issue of priority low. Nevertheless I would
definitely want this bugfix to be included in all supported Debian
versions from stable (oldstable if supported) to experimental.
In case of further questions please don't hesitate to contact me.
Best regards,
Alexander Bahlo, CAcert.
--- End Message ---
--- Begin Message ---
Source: ca-certificates
Source-Version: 20111025
We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive:
ca-certificates_20111025.dsc
to main/c/ca-certificates/ca-certificates_20111025.dsc
ca-certificates_20111025.tar.gz
to main/c/ca-certificates/ca-certificates_20111025.tar.gz
ca-certificates_20111025_all.deb
to main/c/ca-certificates/ca-certificates_20111025_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 630232@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Shuler <michael@pbandjelly.org> (supplier of updated ca-certificates package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 25 Oct 2011 09:12:10 -0500
Source: ca-certificates
Binary: ca-certificates
Architecture: source all
Version: 20111025
Distribution: unstable
Urgency: low
Maintainer: Michael Shuler <michael@pbandjelly.org>
Changed-By: Michael Shuler <michael@pbandjelly.org>
Description:
ca-certificates - Common CA certificates
Closes: 537382 588219 619587 630232 643667
Changes:
ca-certificates (20111025) unstable; urgency=low
.
[ Michael Shuler ]
* Add 3.0 (native) source format
* Add Vcs-Git/Browser fields
* Add myself as new Maintainer with Uploaders Closes: #588219
* Update mozilla/certdata.txt to latest (NSS branch version 1.64.2.13)
Certificates added (+) and removed (-):
+ "AffirmTrust Commercial"
+ "AffirmTrust Networking"
+ "AffirmTrust Premium"
+ "AffirmTrust Premium ECC"
+ "A-Trust-nQual-03"
+ "Bogus Global Trustee"
+ "Bogus GMail"
+ "Bogus Google"
+ "Bogus kuix.de"
+ "Bogus live.com"
+ "Bogus Mozilla Addons"
+ "Bogus Skype"
+ "Bogus Yahoo 1"
+ "Bogus Yahoo 2"
+ "Bogus Yahoo 3"
+ "Certinomis - Autorité Racine"
+ "Certum Trusted Network CA"
+ "Explicitly Distrust DigiNotar Cyber CA"
+ "Explicitly Distrust DigiNotar Cyber CA 2nd"
+ "Explicitly Distrust DigiNotar Root CA"
+ "Explicitly Distrust DigiNotar Services 1024 CA"
+ "Explicitly Distrusted DigiNotar PKIoverheid"
+ "Explicitly Distrusted DigiNotar PKIoverheid G2"
+ "Go Daddy Root Certificate Authority - G2"
+ "Root CA Generalitat Valenciana"
+ "Starfield Root Certificate Authority - G2"
+ "Starfield Services Root Certificate Authority - G2"
+ "TWCA Root Certification Authority"
- "AOL Time Warner Root Certification Authority 1"
- "AOL Time Warner Root Certification Authority 2"
- "DigiNotar Root CA"
- "Entrust.net Global Secure Personal CA"
- "Entrust.net Global Secure Server CA"
- "Entrust.net Secure Personal CA"
- "IPS Chained CAs root"
- "IPS CLASE1 root"
- "IPS CLASE3 root"
- "IPS CLASEA1 root"
- "IPS CLASEA3 root"
- "IPS Timestamping root"
- "Thawte Personal Freemail CA"
- "Thawte Time Stamping CA"
* "Bogus *" CAs above address Comodo MITM 03/11 Closes: #619587
* Update CAcert-Class 3-Subroot-certificate Closes: #630232
.
[ Steve Langasek ]
* sbin/update-ca-certificates: move the ca-certificates.crt bundle out of
the way before calling c_rehash, so that symlinks don't accidentally get
pointed here, breaking openssl certificate verification LP: #854927
.
[ Loïc Minier ]
* Drop bogus c_rehash on upgrades, which caused issue when
ca-certificates.crt was still in place; instead, call
update-ca-certificates --fresh on upgrades to this version, and
the usual update-ca-certificates otherwise Closes: #643667, #537382
Checksums-Sha1:
fd73ea4f9e085106bdf7979a29121fbf72b47dea 1747 ca-certificates_20111025.dsc
3c9817265915a43e1a2cd8d88325df3904fbf5ee 298904 ca-certificates_20111025.tar.gz
949ca2535b927753aa9edeb7afbedac9b793f630 185800 ca-certificates_20111025_all.deb
Checksums-Sha256:
3322f8df3c8edfba2a11b03b995f52b953810ddede324433c0ba285b0e3a0c13 1747 ca-certificates_20111025.dsc
318bbf0f7c0a32adc10105f843148fd0e9e3b013de75645c02ea858652240924 298904 ca-certificates_20111025.tar.gz
7d743b307ab31138176d6da4fff1f4c7f6bd246b42698662894bfb1b74e55647 185800 ca-certificates_20111025_all.deb
Files:
0e3c65cb361b2710ce8626ec53cfeb1c 1747 misc optional ca-certificates_20111025.dsc
dfd593c9f89e64351aae78b9be588696 298904 misc optional ca-certificates_20111025.tar.gz
245d8b5bba947b8ae786e0f14459dd18 185800 misc optional ca-certificates_20111025_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIVAwUBTqhQpocvcCxNbiWoAQKEhw//aOuTI95KwsJCv2eTmjMOalK16QgBYApZ
/5Evz0XGl9UD/Ec9H37AEBfwXRdOyOaAJIrV46xzk5J6R+nRWyCViL4czyabuSLh
llLJXAVOx4zyL3BdBN1eDqETrOVD+Y8j5odQfo9Cgmt9ucY4wWVLNNbYLqYlFwpd
rEPHxyYYXGC5riWwEK9+JNKkS4J+AAcy/5oCzqdQFBlyTsLM8cBfscDJQSEvg8Xm
vPm5k7tgzyYn6lUKOPwBg6+/LembJ5D32fRyTWzZk7kZNcs4I6ldwtQG43eUSEPe
E7Wapb+rZLK0IGzBGSCufCGmq7/w7V0URpC9h30m2OVYtijoJkJthE7mhQONjPU3
4K02L2FszF2QMSLU8AGYrLhWCeFfefGhKS0/dIWkDZRc4r2uqIegaBLkH6sUDv4X
2WlzyVN+e/LS7f3Cmx7EUbqol8jOyxF3l49DAaaWap1z25mZqxoi6MaqNDk46VOn
+9iHXxV1ZVSxKuDaOAYD5HCUA0gL4ggvZk5+ZsvJV2iwmmXJ24tFNa9+Lvz3ZyIX
CElWS1qxCCDTE0M9U93dnxbaC39yAO6dPyScsl8UOOfCOK90hEy+UooLUdD4YUpF
7RTizkIxBSwUXzxMtV7RuN4DIZSJzekQqpKOioPzglDn/xPMli+bsLnmGMhuDNAA
PIJAlpTV5OE=
=tF07
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: