Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
The ca-certificates package in jessie is still vulnerable to #858539, that is it still ships the WoSign and StartCom certificates which have been marked as blacklisted after october 21st 2016 by the Mozilla team. There was a NMU to unstable in may that seems to have trickled down into stable (stretch) but obviously not oldstable (jessie). I think it may be worth making an update for this. I have sent a patch for both jessie and wheezy (the latter of which I can take of myself) in the bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858539#66 .. and attached. I wonder, however, if we should not also update the certdata.txt file to sync with upstream, as this features interesting additions like the Let's Encrypt root and removal of other certificates: + "AC RAIZ FNMT-RCM" + "Amazon Root CA 1" + "Amazon Root CA 2" + "Amazon Root CA 3" + "Amazon Root CA 4" + "LuxTrust Global Root 2" + "Symantec Class 1 Public Primary Certification Authority - G4" + "Symantec Class 1 Public Primary Certification Authority - G6" + "Symantec Class 2 Public Primary Certification Authority - G4" + "Symantec Class 2 Public Primary Certification Authority - G6" - "Buypass Class 2 CA 1" - "EBG Elektronik Sertifika Hizmet Saglayicisi" - "Equifax Secure CA" - "Equifax Secure Global eBusiness CA" - "Equifax Secure eBusiness CA 1" - "IGC/A" - "Juur-SK" - "RSA Security 2048 v3" - "Root CA Generalitat Valenciana" - "S-TRUST Authentication and Encryption Root CA 2005 PN" - "Verisign Class 1 Public Primary Certification Authority" - "Verisign Class 2 Public Primary Certification Authority - G2" - "Verisign Class 3 Public Primary Certification Authority" This update, from upstream NSS 2.4 to 2.11 has yet to be uploaded in unstable however, so I guess this would need to wait a trickle down into buster and a synchronous update to stretch/jessie? In general, this raises the question of whether we want the same certdata.txt across all suites or we are okay with having that file out of date in older releases. Let me know how this should be managed. A. -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
From 9ac1618482517826a10a9dc0a49c8b3bc5595cb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org> Date: Thu, 6 Jul 2017 13:28:22 -0400 Subject: [PATCH] merge in NMU for #858539 --- debian/changelog | 9 +++++++++ mozilla/blacklist.txt | 16 ++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/debian/changelog b/debian/changelog index a6b8b1e..88a7f1d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +ca-certificates (20141019+deb8u4) jessie; urgency=medium + + [ Chris Lamb ] + * Non-maintainer upload. + * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are + now untrusted by the major browser vendors. Closes: #858539 + + -- Antoine Beaupré <anar...@debian.org> Thu, 06 Jul 2017 13:18:47 -0400 + ca-certificates (20141019+deb8u3) jessie; urgency=medium [ Michael Shuler ] diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt index 911f9f1..6ea1732 100644 --- a/mozilla/blacklist.txt +++ b/mozilla/blacklist.txt @@ -5,3 +5,19 @@ # DigiNotar Root CA (see debbug#639744) "DigiNotar Root CA" + +# StartCom and WoSign certificates are now untrusted by the major browser +# vendors[0]. See [1] for discussion. The list was generated by: +# +# $ egrep 'WoSign|StartCom' mozilla/certdata.txt \ +# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq +# +# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ +# [1] https://bugs.debian.org/858539 +# +"StartCom Certification Authority" +"StartCom Certification Authority G2" +"WoSign" +"WoSign China" +"Certification Authority of WoSign G2" +"CA WoSign ECC Root" -- 2.11.0