Package: ca-certificates Version: 20150426 Severity: important Dear maintainer and security team,
ca-certificates hasn't been updated since April 2015. Since then, 14 CAs have been removed from the NSS root store[1, 2]. ca-certificates in stable hasn't been updated since October 2014. Since then, 6 additional CAs have been removed[3, 4]. ca-certificates in oldstable is even older. This is concerning because some of the removed CAs have failed or are no longer conducting audits, which means we have no idea what security practices they are currently following. Applications on Debian which use the ca-certificates store still trust these CAs, putting users at risk. For example, the e-Guven root certificate, which was removed from the NSS store in April due to "insufficient and outdated audits"[5, 6], continues to be trusted in stable and oldstable. First, could we get an update soon to ca-certificates that reflects these removals? Second, could ca-certificates be updated more frequently in the future? Security Team, could updates to ca-certificates be pushed out through security.debian.org for (old)stable? If there is an issue of manpower, I'm willing to help co-maintain ca-certificates (I'm a DM) and prepare packages for security.debian.org. We're lucky that Mozilla runs such a great root program: it's thorough and responsive, and aligns with Debian's values by being open and community-driven. Let's take full advantage of it in Debian! Thanks, Andrew [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1214729 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1175227 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1145270 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1088147 [5] https://blog.mozilla.org/security/2015/04/27/removing-e-guven-ca-certificate/ [6] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/LKJO9W5dkSY