Bug#962008: RFS: ca-certificates/20200601 [RC] -- Common CA certificates
On 6/3/20 1:37 AM, Adrian Bunk wrote:
ca-certificates (20200601) unstable; urgency=medium
ca-certificates (20200601~deb10u1) buster-security; urgency=medium
ca-certificates (20200601~deb9u1) stretch-security; urgency=medium
Did you already agree with the security team (Cc'ed) that these should
also be published as DSA for stable and oldstable?
If yes, a security team member might be the best person to sponsor these
for unstable/buster-security/stretch-security.
If they shouldn't be treated as DSA, the uploads for stable and
oldstable have to be done differently.
BTW: What is the next expiry date of any certificate in ca-certificates?
(Note: 20200601 has been uploaded to unstable by Andrew Shadura
<bugzilla@tut.by> - thank you for the upload, Andrew.)
Re: exipry dates:
Generally, expiry date has not been an issue remaining in the bundle
until removal upstream, since the certification authorities have managed
migration to new roots well and openssl>=1.1.1 handles this gracefully.
This appears to have not been the case with AddTrust and older
openssl<1.1.1 bug, as that fix was not backported, to the best of my
understanding.
I would have to cycle through all the certs to see what dates are
upcoming, but this is a new(old-openssl) problem, apparently. I don't
have that bit of time at this very moment.
Re: security uploads:
I have received no reply from the security team, as of this message, so
awaiting their OK/advice. Copy of email sent to team@security, since
there is no secret info in here:
-------- Forwarded Message --------
Subject: ca-certificates: buster-security & stretch-security (and sid)
uploads
Date: Mon, 1 Jun 2020 22:22:47 -0500
From: Michael Shuler <michael@pbandjelly.org>
To: team@security.debian.org
Hi Security Team,
I committed changes to to git for an RC security issue, as well as
update the certificate bundle to current. This has been critical for a
number of web services failing due to the expired certificate on older
operating systems. Evidently this has been fixed in openssl-1.1.1, but
never backported.
I have prepared unstable, and stable/oldstable security updates on mentors.
https://salsa.debian.org/debian/ca-certificates/
master sha for unstable (ca-certificates_20200601):
b3a8980b · Fix typo on AddTrust CN
RC bug fixed:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961907
CA update:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955038
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956411
Symantec roots explicitly blacklisted:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911289
The master branch was merged to the debian-buster and debian-stretch
branches (control file kept) and releases created for buster-security
and stretch-security
debian-buster sha (ca-certificates_20200601~deb10u1):
5256b350 · Set buster-security for suite
debian-stretch sha (ca-certificates_20200601~deb10u1):
7bd8f941 · Set stretch-security for suite
I uploaded all 3 to mentors and they are ready to be sponsored:
https://mentors.debian.net/package/ca-certificates
bug#s for the mentors upload requests:
unstable:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962008
buster-security:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962009
stretch-security:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962010
Please, let me know if I can provide any additional info.
Kind regards,
Michael
Reply to: