Bug#962245: RFS: ca-certificates/20200601~deb9u1 [RC] -- Common CA certificates

[Adrian Bunk <bunk@debian.org>]

Control: tags -1 moreinfo

On Thu, Jun 04, 2020 at 08:37:24PM -0500, Michael Shuler wrote:
>...
> Changes since the last upload:
> 
>    * Rebuild for stretch.
>    * Merge changes from 20200601
>      - d/control
>    * This release updates the Mozilla CA bundle to 2.40, blacklists
>      distrusted Symantec roots, and blacklists expired "AddTrust External
>      Root". Closes: #956411, #955038, #911289, #961907
>    * Fix permissions on /usr/local/share/ca-certificates when using
> symlinks.
>      Closes: #916833
>...

Compared to 20200601 and 20200601~deb10u1 this contains the following
additional files:

/usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt
/usr/share/ca-certificates/mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
/usr/share/ca-certificates/mozilla/Camerfirma_Global_Chambersign_Root.crt
/usr/share/ca-certificates/mozilla/Certum_Root_CA.crt
/usr/share/ca-certificates/mozilla/D-TRUST_Root_CA_3_2013.crt
/usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/doc/ca-certificates/NEWS.Debian.gz

The additional NEWS.Debian.gz is either correct or harmless,
the additional certificates are not.

This is due to the backport missing the "Remove email-only roots from 
mozilla trust store" (#721976) change that is in 20200601.

Please update the stretch-pu request with that fixed and let me know
when the corrected debdiff is approved.

> Kind regards,
> Michael Shuler

cu
Adrian