Package: ca-certificates Version: 20190110 Severity: normal 1. The configuration file /etc/ca-certificates.conf is hard coding potentially insecure mozilla/QuoVadis certificate authorities into the base system. This change might unintentionally affect TLS security in future releases of Debian and is not necessary or recommended.
2. We also need to make sure debconf will no trust and import new certificate authorities by default when doing package upgrades or there should be way for the user to remove any unwanted ca entries. References: 1. https://isotopesoftware.ca/wiki/DarkMatter 2. https://twitter.com/wise_project/status/1102931776954089474 3. https://twitter.com/wise_project/status/1120920928915947520 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 4.19.0-2-686-pae (SMP w/2 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ca-certificates depends on: ii debconf [debconf-2.0] 1.5.71 ii openssl 1.1.1b-2 ca-certificates recommends no packages. ca-certificates suggests no packages. -- debconf information excluded
