On Fri, May 19, 2017 at 10:46:35AM -0500, Michael Shuler wrote: > On 05/19/2017 10:07 AM, Chris Lamb wrote: > > I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5: > > > > ca-certificates (20161130+nmu1) unstable; urgency=medium > > > > * Non-maintainer upload. > > * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they > > are > > now untrusted by the major browser vendors. Closes: #858539 > > Thank you for the NMU, Chris, I'm good with that change.
Do you plan on making a similar update to oldstable (jessie)? By the way, I see the 2.11 update to unstable is still pending, but I have managed to merge in the above NMU in the git repository and pushed it to collab-maint. https://anonscm.debian.org/git/collab-maint/ca-certificates.git/commit/?id=c5f9e62eb3a307ccb3d581dba7c38d19b6a5ba87 Is there something blocking that 2.11 upload? I have also prepared an upload for jessie and wheezy that would fix this bug, attached. I wonder, however, what the correct course of action is considering that you have that 2.11 update pending - shouldn't we just trickle down certdata.txt down into all suites? Let me know how we should process this, A.
From 9ac1618482517826a10a9dc0a49c8b3bc5595cb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org> Date: Thu, 6 Jul 2017 13:28:22 -0400 Subject: [PATCH] merge in NMU for #858539 --- debian/changelog | 9 +++++++++ mozilla/blacklist.txt | 16 ++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/debian/changelog b/debian/changelog index a6b8b1e..88a7f1d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +ca-certificates (20141019+deb8u4) jessie; urgency=medium + + [ Chris Lamb ] + * Non-maintainer upload. + * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are + now untrusted by the major browser vendors. Closes: #858539 + + -- Antoine Beaupré <anar...@debian.org> Thu, 06 Jul 2017 13:18:47 -0400 + ca-certificates (20141019+deb8u3) jessie; urgency=medium [ Michael Shuler ] diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt index 911f9f1..6ea1732 100644 --- a/mozilla/blacklist.txt +++ b/mozilla/blacklist.txt @@ -5,3 +5,19 @@ # DigiNotar Root CA (see debbug#639744) "DigiNotar Root CA" + +# StartCom and WoSign certificates are now untrusted by the major browser +# vendors[0]. See [1] for discussion. The list was generated by: +# +# $ egrep 'WoSign|StartCom' mozilla/certdata.txt \ +# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq +# +# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ +# [1] https://bugs.debian.org/858539 +# +"StartCom Certification Authority" +"StartCom Certification Authority G2" +"WoSign" +"WoSign China" +"Certification Authority of WoSign G2" +"CA WoSign ECC Root" -- 2.11.0
From 68c8120346a4b7dfae0dca9ccc44d8d78e632700 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org>
Date: Thu, 6 Jul 2017 13:34:53 -0400
Subject: [PATCH] merge in NMU for #858539
---
debian/changelog | 9 +++++++++
mozilla/blacklist.txt | 16 ++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 013e86e..38c035e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ca-certificates (20130119+deb7u3) wheezy-security; urgency=medium
+
+ [ Chris Lamb ]
+ * Non-maintainer upload.
+ * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
+ now untrusted by the major browser vendors. Closes: #858539
+
+ -- Antoine Beaupré <anar...@debian.org> Thu, 06 Jul 2017 13:33:56 -0400
+
ca-certificates (20130119+deb7u2) oldstable; urgency=medium
* mozilla/{certdata.txt,nssckbi.h}:
diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt
index 911f9f1..6ea1732 100644
--- a/mozilla/blacklist.txt
+++ b/mozilla/blacklist.txt
@@ -5,3 +5,19 @@
# DigiNotar Root CA (see debbug#639744)
"DigiNotar Root CA"
+
+# StartCom and WoSign certificates are now untrusted by the major browser
+# vendors[0]. See [1] for discussion. The list was generated by:
+#
+# $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
+# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
+#
+# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
+# [1] https://bugs.debian.org/858539
+#
+"StartCom Certification Authority"
+"StartCom Certification Authority G2"
+"WoSign"
+"WoSign China"
+"Certification Authority of WoSign G2"
+"CA WoSign ECC Root"
--
2.11.0
signature.asc
Description: PGP signature
