On Fri, 1 Oct 2021 14:12:24 +0200 Julien Cristau <jul...@cristau.org> wrote: > Which implementations are affected? I know of openssl 1.0.2, which is > not in any supported Debian release. Are recent versions of gnutls > affected by this bug?
The CA store can be (and commonly is) used by other software on the hosts which doesn't necessarily even ship from Debian, with varying implementations that sometimes poorly handle this situation. We've observed the lack of this blacklist cause a production issue for an Envoy binary connecting to other servers with Let's Encrypt certs, which uses a bundled boringssl implementation and reads the system root store from this package (and worked around it by blacklisting in our local config manually). Some other softwares (e.g. mono, java implementations, etc) can be similarly-affected. Given the cert is expired, it's hard to imagine any real harm from its removal - but removing it can fix a lot of subtle issues going on around the world since yesterday's DST Root CA X3 expiry.
