[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#867461: marked as done (jessie-pu: package ca-certificates/20141019+deb8u3)

Your message dated Sun, 17 Jun 2018 20:15:50 +0100
with message-id <1529262950.2082.33.camel@adam-barratt.org.uk>
and subject line Re: Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
has caused the Debian Bug report #867461,
regarding jessie-pu: package ca-certificates/20141019+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
867461: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867461
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

The ca-certificates package in jessie is still vulnerable to #858539,
that is it still ships the WoSign and StartCom certificates which have
been marked as blacklisted after october 21st 2016 by the Mozilla
team.

There was a NMU to unstable in may that seems to have trickled down
into stable (stretch) but obviously not oldstable (jessie).

I think it may be worth making an update for this. I have sent a patch
for both jessie and wheezy (the latter of which I can take of myself)
in the bug report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858539#66

.. and attached.

I wonder, however, if we should not also update the certdata.txt file
to sync with upstream, as this features interesting additions like the
Let's Encrypt root and removal of other certificates:

+ "AC RAIZ FNMT-RCM"
+ "Amazon Root CA 1"
+ "Amazon Root CA 2"
+ "Amazon Root CA 3"
+ "Amazon Root CA 4"
+ "LuxTrust Global Root 2"
+ "Symantec Class 1 Public Primary Certification Authority - G4"
+ "Symantec Class 1 Public Primary Certification Authority - G6"
+ "Symantec Class 2 Public Primary Certification Authority - G4"
+ "Symantec Class 2 Public Primary Certification Authority - G6"
- "Buypass Class 2 CA 1"
- "EBG Elektronik Sertifika Hizmet Saglayicisi"
- "Equifax Secure CA"
- "Equifax Secure Global eBusiness CA"
- "Equifax Secure eBusiness CA 1"
- "IGC/A"
- "Juur-SK"
- "RSA Security 2048 v3"
- "Root CA Generalitat Valenciana"
- "S-TRUST Authentication and Encryption Root CA 2005 PN"
- "Verisign Class 1 Public Primary Certification Authority"
- "Verisign Class 2 Public Primary Certification Authority - G2"
- "Verisign Class 3 Public Primary Certification Authority"

This update, from upstream NSS 2.4 to 2.11 has yet to be uploaded in
unstable however, so I guess this would need to wait a trickle down
into buster and a synchronous update to stretch/jessie?

In general, this raises the question of whether we want the same
certdata.txt across all suites or we are okay with having that file
out of date in older releases.

Let me know how this should be managed.

A.

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

From 9ac1618482517826a10a9dc0a49c8b3bc5595cb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Thu, 6 Jul 2017 13:28:22 -0400
Subject: [PATCH] merge in NMU for #858539

---
 debian/changelog      |  9 +++++++++
 mozilla/blacklist.txt | 16 ++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a6b8b1e..88a7f1d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ca-certificates (20141019+deb8u4) jessie; urgency=medium
+
+  [ Chris Lamb ]
+  * Non-maintainer upload.
+  * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
+    now untrusted by the major browser vendors. Closes: #858539
+
+ -- Antoine Beaupré <anarcat@debian.org>  Thu, 06 Jul 2017 13:18:47 -0400
+
 ca-certificates (20141019+deb8u3) jessie; urgency=medium
 
   [ Michael Shuler ]
diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt
index 911f9f1..6ea1732 100644
--- a/mozilla/blacklist.txt
+++ b/mozilla/blacklist.txt
@@ -5,3 +5,19 @@
 
 # DigiNotar Root CA (see debbug#639744)
 "DigiNotar Root CA"
+
+# StartCom and WoSign certificates are now untrusted by the major browser
+# vendors[0]. See [1] for discussion. The list was generated by:
+#
+#   $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
+#         | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
+#
+# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
+# [1] https://bugs.debian.org/858539
+#
+"StartCom Certification Authority"
+"StartCom Certification Authority G2"
+"WoSign"
+"WoSign China"
+"Certification Authority of WoSign G2"
+"CA WoSign ECC Root"
-- 
2.11.0

--- End Message ---
--- Begin Message --- 
Control: tags -1 + wontfix

On Sun, 2018-06-10 at 20:33 -0500, Michael Shuler wrote:
> On 06/08/2018 03:37 PM, Adam D. Barratt wrote:
> > 
> > Ping? We're a week away from the final chance to get an update into
> > jessie-as-oldstable before it becomes jessie-lts.
> 
> Thanks for the ping. I updated the debian-jessie branch of 
> ca-certificates with mozilla bundle 2.22, and it's ready to be
> uploaded.
> 
> Thijs, might you have a chance to upload 20141019+deb8u4 to 
> jessie-updates? If not, perhaps we can wrangle someone else to help.

Unfortunately there was no reply to the above query, and the window for
getting fixes in to the final point release for jessie (before it moves
to LTS support) has now closed.

Regards,

Adam

--- End Message ---
Reply to: