Bug#867461: jessie-pu: package ca-certificates/20141019+deb8u3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#867461: jessie-pu: package ca-certificates/20141019+deb8u3
From: Antoine Beaupre <anarcat@debian.org>
Date: Thu, 06 Jul 2017 13:47:29 -0400
Message-id: <[🔎] 149936324996.9709.1705804992933321266.reportbug@curie.anarc.at>
Reply-to: Antoine Beaupre <anarcat@debian.org>, 867461@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

The ca-certificates package in jessie is still vulnerable to #858539,
that is it still ships the WoSign and StartCom certificates which have
been marked as blacklisted after october 21st 2016 by the Mozilla
team.

There was a NMU to unstable in may that seems to have trickled down
into stable (stretch) but obviously not oldstable (jessie).

I think it may be worth making an update for this. I have sent a patch
for both jessie and wheezy (the latter of which I can take of myself)
in the bug report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858539#66

.. and attached.

I wonder, however, if we should not also update the certdata.txt file
to sync with upstream, as this features interesting additions like the
Let's Encrypt root and removal of other certificates:

+ "AC RAIZ FNMT-RCM"
+ "Amazon Root CA 1"
+ "Amazon Root CA 2"
+ "Amazon Root CA 3"
+ "Amazon Root CA 4"
+ "LuxTrust Global Root 2"
+ "Symantec Class 1 Public Primary Certification Authority - G4"
+ "Symantec Class 1 Public Primary Certification Authority - G6"
+ "Symantec Class 2 Public Primary Certification Authority - G4"
+ "Symantec Class 2 Public Primary Certification Authority - G6"
- "Buypass Class 2 CA 1"
- "EBG Elektronik Sertifika Hizmet Saglayicisi"
- "Equifax Secure CA"
- "Equifax Secure Global eBusiness CA"
- "Equifax Secure eBusiness CA 1"
- "IGC/A"
- "Juur-SK"
- "RSA Security 2048 v3"
- "Root CA Generalitat Valenciana"
- "S-TRUST Authentication and Encryption Root CA 2005 PN"
- "Verisign Class 1 Public Primary Certification Authority"
- "Verisign Class 2 Public Primary Certification Authority - G2"
- "Verisign Class 3 Public Primary Certification Authority"

This update, from upstream NSS 2.4 to 2.11 has yet to be uploaded in
unstable however, so I guess this would need to wait a trickle down
into buster and a synchronous update to stretch/jessie?

In general, this raises the question of whether we want the same
certdata.txt across all suites or we are okay with having that file
out of date in older releases.

Let me know how this should be managed.

A.

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

From 9ac1618482517826a10a9dc0a49c8b3bc5595cb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Thu, 6 Jul 2017 13:28:22 -0400
Subject: [PATCH] merge in NMU for #858539

---
 debian/changelog      |  9 +++++++++
 mozilla/blacklist.txt | 16 ++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a6b8b1e..88a7f1d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ca-certificates (20141019+deb8u4) jessie; urgency=medium
+
+  [ Chris Lamb ]
+  * Non-maintainer upload.
+  * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
+    now untrusted by the major browser vendors. Closes: #858539
+
+ -- Antoine Beaupré <anarcat@debian.org>  Thu, 06 Jul 2017 13:18:47 -0400
+
 ca-certificates (20141019+deb8u3) jessie; urgency=medium
 
   [ Michael Shuler ]
diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt
index 911f9f1..6ea1732 100644
--- a/mozilla/blacklist.txt
+++ b/mozilla/blacklist.txt
@@ -5,3 +5,19 @@
 
 # DigiNotar Root CA (see debbug#639744)
 "DigiNotar Root CA"
+
+# StartCom and WoSign certificates are now untrusted by the major browser
+# vendors[0]. See [1] for discussion. The list was generated by:
+#
+#   $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
+#         | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
+#
+# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
+# [1] https://bugs.debian.org/858539
+#
+"StartCom Certification Authority"
+"StartCom Certification Authority G2"
+"WoSign"
+"WoSign China"
+"Certification Authority of WoSign G2"
+"CA WoSign ECC Root"
-- 
2.11.0

Reply to:

Prev by Date: Bug#866759: stretch-pu: package protozero/1.5.1-1+deb9u1
Next by Date: Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
Previous by thread: Processed: (no subject)
Next by thread: Bug#867461: should ca-certificates certdata.txt synchronize across all suites?
Index(es):
- Date
- Thread