Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

Fri, 19 May 2017 08:09:20 -0700 

tags 858539 + pending patch
thanks

I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5:
  
  ca-certificates (20161130+nmu1) unstable; urgency=medium
  
    * Non-maintainer upload.
    * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
      now untrusted by the major browser vendors. Closes: #858539

The full debdiff is attached.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org / chris-lamb.co.uk
       `-

diffstat for ca-certificates-20161130 ca-certificates-20161130+nmu1

 debian/changelog      |    8 ++++++++
 mozilla/blacklist.txt |   16 ++++++++++++++++
 2 files changed, 24 insertions(+)

diff -Nru ca-certificates-20161130/debian/changelog 
ca-certificates-20161130+nmu1/debian/changelog
--- ca-certificates-20161130/debian/changelog   2016-12-01 04:20:53.000000000 
+0100
+++ ca-certificates-20161130+nmu1/debian/changelog      2017-05-19 
16:53:16.000000000 +0200
@@ -1,3 +1,11 @@
+ca-certificates (20161130+nmu1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
+    now untrusted by the major browser vendors. Closes: #858539
+
+ -- Chris Lamb <la...@debian.org>  Fri, 19 May 2017 16:53:16 +0200
+
 ca-certificates (20161130) unstable; urgency=medium
 
   [ Philipp Kern ]
diff -Nru ca-certificates-20161130/mozilla/blacklist.txt 
ca-certificates-20161130+nmu1/mozilla/blacklist.txt
--- ca-certificates-20161130/mozilla/blacklist.txt      2016-11-03 
08:40:01.000000000 +0100
+++ ca-certificates-20161130+nmu1/mozilla/blacklist.txt 2017-05-19 
16:53:16.000000000 +0200
@@ -5,3 +5,19 @@
 
 # DigiNotar Root CA (see debbug#639744)
 "DigiNotar Root CA"
+
+# StartCom and WoSign certificates are now untrusted by the major browser
+# vendors[0]. See [1] for discussion. The list was generated by:
+#
+#   $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
+#         | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
+#
+# [0] 
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
+# [1] https://bugs.debian.org/858539
+#
+"StartCom Certification Authority"
+"StartCom Certification Authority G2"
+"WoSign"
+"WoSign China"
+"Certification Authority of WoSign G2"
+"CA WoSign ECC Root"

Reply via email to