Bug#647548: marked as done (ca-certificates: Mozilla is revoking trust in all certificates issued by DigiCert Sdn. Bhd.)

[Debian Bug Tracking System]

Your message dated Sun, 06 Nov 2011 17:51:29 -0600
with message-id <4eb71d81.3090...@pbandjelly.org>
and subject line Re: Bug#647548: ca-certificates: Mozilla is revoking trust in 
all certificates issued by DigiCert Sdn. Bhd.
has caused the Debian Bug report #647548,
regarding ca-certificates: Mozilla is revoking trust in all certificates issued 
by DigiCert Sdn. Bhd.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
647548: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=647548
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ca-certificates
Version: 20111025
Severity: important

DigiCert Sdn. Bhd. is an Entrust subordinate CA and has issued 22 certificates
with weak keys.  An attacker could use one of these weak certificates to
impersonate the legitimate owners.  Mozilla is revoking trust in all
certificates issued by DigiCert Sdn. Bhd.

Relevant Mozilla post:
http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/

Relevant Entrust statement:
http://www.entrust.net/advisories/malaysia.htm


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (300, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-2-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.41  
ii  openssl                1.0.0e-2

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information:
  ca-certificates/title:
* ca-certificates/enable_crts: brasil.gov.br/brasil.gov.br.crt, 
cacert.org/cacert.org.crt, debconf.org/ca.crt, mozilla/ACEDICOM_Root.crt, 
mozilla/AC_Raíz_Certicámara_S.A..crt, mozilla/AddTrust_External_Root.crt, 
mozilla/AddTrust_Low-Value_Services_Root.crt, 
mozilla/AddTrust_Public_Services_Root.crt, 
mozilla/AddTrust_Qualified_Certificates_Root.crt, 
mozilla/AffirmTrust_Commercial.crt, mozilla/AffirmTrust_Networking.crt, 
mozilla/AffirmTrust_Premium.crt, mozilla/AffirmTrust_Premium_ECC.crt, 
mozilla/America_Online_Root_Certification_Authority_1.crt, 
mozilla/America_Online_Root_Certification_Authority_2.crt, 
mozilla/ApplicationCA_-_Japanese_Government.crt, mozilla/A-Trust-nQual-03.crt, 
mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt, 
mozilla/Baltimore_CyberTrust_Root.crt, mozilla/Buypass_Class_2_CA_1.crt, 
mozilla/Buypass_Class_3_CA_1.crt, mozilla/CA_Disig.crt, 
mozilla/Camerfirma_Chambers_of_Commerce_Root.crt, 
mozilla/Camerfirma_Global_Chambersign_Root.crt, 
 mozilla/Certigna.crt, mozilla/Certinomis_-_Autorité_Racine.crt, 
mozilla/Certplus_Class_2_Primary_CA.crt, mozilla/certSIGN_ROOT_CA.crt, 
mozilla/Certum_Root_CA.crt, mozilla/Certum_Trusted_Network_CA.crt, 
mozilla/Chambers_of_Commerce_Root_-_2008.crt, mozilla/CNNIC_ROOT.crt, 
mozilla/Comodo_AAA_Services_root.crt, 
mozilla/COMODO_Certification_Authority.crt, 
mozilla/COMODO_ECC_Certification_Authority.crt, 
mozilla/Comodo_Secure_Services_root.crt, 
mozilla/Comodo_Trusted_Services_root.crt, mozilla/ComSign_CA.crt, 
mozilla/ComSign_Secured_CA.crt, mozilla/Cybertrust_Global_Root.crt, 
mozilla/Deutsche_Telekom_Root_CA_2.crt, 
mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Global_Root_CA.crt, 
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt, 
mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt, 
mozilla/DST_ACES_CA_X6.crt, mozilla/DST_Root_CA_X3.crt, 
mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt, mozilla/E-Guven_Kok_El
 ektronik_Sertifika_Hizmet_Saglayicisi.crt, 
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, 
mozilla/Entrust.net_Secure_Server_CA.crt, 
mozilla/Entrust_Root_Certification_Authority.crt, 
mozilla/ePKI_Root_Certification_Authority.crt, mozilla/Equifax_Secure_CA.crt, 
mozilla/Equifax_Secure_eBusiness_CA_1.crt, 
mozilla/Equifax_Secure_eBusiness_CA_2.crt, 
mozilla/Equifax_Secure_Global_eBusiness_CA.crt, 
mozilla/Firmaprofesional_Root_CA.crt, mozilla/GeoTrust_Global_CA_2.crt, 
mozilla/GeoTrust_Global_CA.crt, 
mozilla/GeoTrust_Primary_Certification_Authority.crt, 
mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt, 
mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt, 
mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GeoTrust_Universal_CA.crt, 
mozilla/Global_Chambersign_Root_-_2008.crt, mozilla/GlobalSign_Root_CA.crt, 
mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/GlobalSign_Root_CA_-_R3.crt, 
mozilla/Go_Daddy_Class_2_CA.crt, 
mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt, mo
 zilla/GTE_CyberTrust_Global_Root.crt, mozilla/Hongkong_Post_Root_CA_1.crt, 
mozilla/IGC_A.crt, mozilla/Izenpe.com.crt, mozilla/Juur-SK.crt, 
mozilla/Microsec_e-Szigno_Root_CA_2009.crt, 
mozilla/Microsec_e-Szigno_Root_CA.crt, 
mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt, 
mozilla/NetLock_Business_=Class_B=_Root.crt, 
mozilla/NetLock_Express_=Class_C=_Root.crt, 
mozilla/NetLock_Notary_=Class_A=_Root.crt, 
mozilla/NetLock_Qualified_=Class_QA=_Root.crt, 
mozilla/Network_Solutions_Certificate_Authority.crt, 
mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt, mozilla/QuoVadis_Root_CA_2.crt, 
mozilla/QuoVadis_Root_CA_3.crt, mozilla/QuoVadis_Root_CA.crt, 
mozilla/Root_CA_Generalitat_Valenciana.crt, mozilla/RSA_Root_Certificate_1.crt, 
mozilla/RSA_Security_2048_v3.crt, mozilla/Secure_Global_CA.crt, 
mozilla/SecureSign_RootCA11.crt, mozilla/SecureTrust_CA.crt, 
mozilla/Security_Communication_EV_RootCA1.crt, 
mozilla/Security_Communication_Root_CA.crt, mozilla/Sonera_Class_1_Root_CA.crt, 
mozill
 a/Sonera_Class_2_Root_CA.crt, mozilla/Staat_der_Nederlanden_Root_CA.crt, 
mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt, 
mozilla/Starfield_Class_2_CA.crt, 
mozilla/Starfield_Root_Certificate_Authority_-_G2.crt, 
mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt, 
mozilla/StartCom_Certification_Authority.crt, 
mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt, 
mozilla/Swisscom_Root_CA_1.crt, mozilla/SwissSign_Gold_CA_-_G2.crt, 
mozilla/SwissSign_Platinum_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, 
mozilla/Taiwan_GRCA.crt, mozilla/TC_TrustCenter_Class_2_CA_II.crt, 
mozilla/TC_TrustCenter_Class_3_CA_II.crt, 
mozilla/TC_TrustCenter__Germany__Class_2_CA.crt, 
mozilla/TC_TrustCenter__Germany__Class_3_CA.crt, 
mozilla/TC_TrustCenter_Universal_CA_I.crt, 
mozilla/TC_TrustCenter_Universal_CA_III.crt, mozilla/TDC_Internet_Root_CA.crt, 
mozilla/TDC_OCES_Root_CA.crt, mozilla/Thawte_Premium_Server_CA.crt, 
mozilla/thawte_Primary_Root_CA.crt, mozilla/thawte_Primary_
 Root_CA_-_G2.crt, mozilla/thawte_Primary_Root_CA_-_G3.crt, 
mozilla/Thawte_Server_CA.crt, 
mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt, 
mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt, 
mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt, 
mozilla/TWCA_Root_Certification_Authority.crt, 
mozilla/UTN_DATACorp_SGC_Root_CA.crt, mozilla/UTN_USERFirst_Email_Root_CA.crt, 
mozilla/UTN_USERFirst_Hardware_Root_CA.crt, mozilla/ValiCert_Class_1_VA.crt, 
mozilla/ValiCert_Class_2_VA.crt, 
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt, 
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority.crt, 
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/Verisign_Class_3_Public
 _Primary_Certification_Authority.crt, 
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt, 
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt, 
mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt, 
mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/VeriSign_Universal_Root_Certification_Authority.crt, 
mozilla/Visa_eCommerce_Root.crt, mozilla/Wells_Fargo_Root_CA.crt, 
mozilla/WellsSecure_Public_Root_Certificate_Authority.crt, 
mozilla/XRamp_Global_CA_Root.crt, signet.pl/signet_ca1_pem.crt, 
signet.pl/signet_ca2_pem.crt, signet.pl/signet_ca3_pem.crt, 
signet.pl/signet_ocspklasa2_pem.crt, signet.pl/signet_ocspklasa3_pem.crt, 
signet.pl/signet_pca2_pem.crt, signet.pl/signet_pca3_pem.crt, 
signet.pl/signet_rootca_pem.crt, signet.pl/signet_tsa1_pem.cr
 t, spi-inc.org/spi-ca-2003.crt, spi-inc.org/spi-cacert-2008.crt
  ca-certificates/new_crts:
* ca-certificates/trust_new_crts: yes

--- End Message ---

--- Begin Message ---

notfound 647548 20111025
tags 647548 + wontfix
thanks

On 11/05/2011 01:54 AM, Raphael Geissert wrote:
> Since ca-certificates doesn't deal with intermediate CAs, nothing can be done 
> about it here.

I had considered working on a way to install explicitly untrusted
certificates, but it seems out of scope for ca-certificates.

-- 
Kind regards,
Michael

--- End Message ---