Bug#1086681: firefox-esr: Previous system certificates are still available

Sun, 03 Nov 2024 10:57:25 -0800 

Package: firefox-esr
Version: 115.15.0esr-1
Severity: normal
X-Debbugs-Cc: cqu...@arcor.de

Dear Maintainer,


 I have a system that I have been upgrading over several Debian releases. Today
I reviewed the certificate authorities in Firefox and I saw that there are a
bunch of certificates installed in the "Software Security Device". In
particular the ones from thawte, Inc. caught my attention since I thought those
ones where revoked at some point.

 My impression is that after firefox gets updated and a certificate authority
is no longer in the "builtin Object Token", the user configuration still keeps
the removed certificates from the system. In fact I inspected cert9.db and the
query "select id, a3 from nssPublic ;" gave a list of such old certificates
together with other certificates that I manually added.

 Maybe the bug was there at some point and since then my cert9.db still
contains those. I cannot really confirm whether the behaviour persists in
newest versions of Firefox. What is certain is that the upgrade of the Firefox
packages over the years has leaked that those certificates from the system
configuration to the user one and persist now there.


-- Package-specific info:

-- Extensions information
Name: Add-ons Search Detection
Location: /usr/lib/firefox-esr/browser/omni.ja
Status: enabled

Name: Amazon.co.uk
Location: /usr/lib/firefox-esr/browser/omni.ja
Status: enabled

Name: Amazon.com
Location: /usr/lib/firefox-esr/browser/omni.ja
Status: enabled

Name: Bing
Location: /usr/lib/firefox-esr/browser/omni.ja
Status: enabled

Name: Bookmark Highlighter
Location: ${PROFILE_EXTENSIONS}/jid0-cna8w9tyzz7h2wrq5zfmso5y...@jetpack.xpi
Status: enabled

Name: Dark theme
Location: /usr/lib/firefox-esr/browser/omni.ja
Status: user-disabled

Name: DuckDuckGo
Location: /usr/lib/firefox-esr/browser/omni.ja
Status: enabled

Name: Firefox Alpenglow theme
Location: /usr/lib/firefox-esr/browser/omni.ja
Status: user-disabled

Name: Firefox Screenshots
Location: /usr/lib/firefox-esr/browser/features/screensh...@mozilla.org.xpi
Status: enabled

Name: floccus bookmarks sync
Location: ${PROFILE_EXTENSIONS}/floc...@handmadeideas.org.xpi
Status: enabled

Name: Form Autofill
Location: /usr/lib/firefox-esr/browser/features/formautof...@mozilla.org.xpi
Status: enabled

Name: Ghostery Tracker & Ad Blocker - Privacy AdBlock
Location: ${PROFILE_EXTENSIONS}/fire...@ghostery.com.xpi
Status: enabled

Name: Google

-- Addons package information

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.10.6-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firefox-esr depends on:
ii  debianutils          5.20
ii  fontconfig           2.15.0-1.1
ii  libasound2t64        1.2.12-1
ii  libatk1.0-0t64       2.53.1-2
ii  libc6                2.40-2
ii  libcairo-gobject2    1.18.2-1
ii  libcairo2            1.18.2-1
ii  libdbus-1-3          1.14.10-4+b1
ii  libdbus-glib-1-2     0.112-3+b2
ii  libevent-2.1-7t64    2.1.12-stable-10
ii  libffi8              3.4.6-1
ii  libfontconfig1       2.15.0-1.1
ii  libfreetype6         2.13.3+dfsg-1
ii  libgcc-s1            14.2.0-3
ii  libgdk-pixbuf-2.0-0  2.42.12+dfsg-1
ii  libglib2.0-0t64      2.82.0-1
ii  libgtk-3-0t64        3.24.43-3
ii  libnspr4             2:4.35-1.1+b1
ii  libnss3              2:3.103-1
ii  libpango-1.0-0       1.54.0+ds-2
ii  libstdc++6           14.2.0-3
ii  libvpx9              1.14.1-1
ii  libx11-6             2:1.8.7-1+b1
ii  libx11-xcb1          2:1.8.7-1+b1
ii  libxcb-shm0          1.17.0-2
ii  libxcb1              1.17.0-2
ii  libxcomposite1       1:0.4.5-1+b1
ii  libxdamage1          1:1.1.6-1+b1
ii  libxext6             2:1.3.4-1+b1
ii  libxfixes3           1:6.0.0-2+b1
ii  libxrandr2           2:1.5.4-1
ii  libxtst6             2:1.2.3-1.1+b1
ii  procps               2:4.0.4-5
ii  zlib1g               1:1.3.dfsg+really1.3.1-1

Versions of packages firefox-esr recommends:
ii  libavcodec-extra57                 7:3.2.14-1~deb9u1
ii  libavcodec-extra58 [libavcodec58]  7:4.3.6-0+deb11u1
ii  libavcodec-extra59 [libavcodec59]  7:5.1.5-0+deb12u1
ii  libavcodec-extra60 [libavcodec60]  7:6.1.1-5+b1

Versions of packages firefox-esr suggests:
ii  fonts-lmodern          2.005-1
pn  fonts-stix | otf-stix  <none>
ii  libcanberra0           0.30-17
ii  libgssapi-krb5-2       1.21.3-3
ii  pulseaudio             16.1+dfsg1-5.1

-- no debconf information

Reply via email to