Bug#962596: marked as done (ca-certificates: Removal of GeoTrust Global CA requires investigation)

[Debian Bug Tracking System]

Your message dated Tue, 19 Jan 2021 10:48:29 +0000
with message-id <e1l1oyn-0007py...@fasolo.debian.org>
and subject line Bug#962596: fixed in ca-certificates 20210119
has caused the Debian Bug report #962596,
regarding ca-certificates: Removal of GeoTrust Global CA requires investigation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
962596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ca-certificates
Version: 20200601
Severity: normal

Dear Maintainer,

Since the update of ca-certificates to version 20200601 I can no longer access
webkit.org websites.

$ gnutls-cli webkit.org
Processed 114 CA certificate(s).
Resolving 'webkit.org:443'...
Connecting to '54.190.50.171:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `C=US,ST=California,O=Apple
Inc.,OU=management:idms.group.764034,CN=www.webkit.org', issuer `C=US,O=Apple
Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1', serial
0x56bad882747e779b546f5fe1f1728a4b, RSA key 2048 bits, signed using RSA-SHA256,
activated `2019-03-14 16:13:54 UTC', expires `2021-04-12 16:13:54 UTC', pin-
sha256="wn1o7E4lMWKKBJYbeB8g/ZdNmeyrdOBvFA9yxI9H+Kk="
        Public Key ID:
                sha1:1020bd7159d9a3bb418ff02ee22f968359843074
sha256:c27d68ec4e2531628a04961b781f20fd974d99ecab74e06f140f72c48f47f8a9
        Public Key PIN:
                pin-sha256:wn1o7E4lMWKKBJYbeB8g/ZdNmeyrdOBvFA9yxI9H+Kk=

- Certificate[1] info:
 - subject `C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 -
G1', issuer `CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US', serial 0x023a74, RSA
key 2048 bits, signed using RSA-SHA256, activated `2014-06-16 15:42:02 UTC',
expires `2022-05-20 15:42:02 UTC', pin-
sha256="tc+C1H75gj+ap48SMYbFLoh56oSw+CLJHYPgQnm3j9U="
- Certificate[2] info:
 - subject `CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US', issuer `CN=GeoTrust
Global CA,O=GeoTrust Inc.,C=US', serial 0x023456, RSA key 2048 bits, signed
using RSA-SHA1 (broken!), activated `2002-05-21 04:00:00 UTC', expires
`2022-05-21 04:00:00 UTC', pin-
sha256="h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.



-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-2-amd64 (SMP w/24 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.74
ii  openssl                1.1.1g-1

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information:
* ca-certificates/enable_crts: extra/mitmproxy-ca-cert.crt, 
mozilla/ACCVRAIZ1.crt, mozilla/AC_RAIZ_FNMT-RCM.crt, 
mozilla/Actalis_Authentication_Root_CA.crt, mozilla/AffirmTrust_Commercial.crt, 
mozilla/AffirmTrust_Networking.crt, mozilla/AffirmTrust_Premium.crt, 
mozilla/AffirmTrust_Premium_ECC.crt, mozilla/Amazon_Root_CA_1.crt, 
mozilla/Amazon_Root_CA_2.crt, mozilla/Amazon_Root_CA_3.crt, 
mozilla/Amazon_Root_CA_4.crt, mozilla/Atos_TrustedRoot_2011.crt, 
mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt, 
mozilla/Baltimore_CyberTrust_Root.crt, mozilla/Buypass_Class_2_Root_CA.crt, 
mozilla/Buypass_Class_3_Root_CA.crt, mozilla/CA_Disig_Root_R2.crt, 
mozilla/Certigna.crt, mozilla/certSIGN_ROOT_CA.crt, 
mozilla/Certum_Trusted_Network_CA_2.crt, mozilla/Certum_Trusted_Network_CA.crt, 
mozilla/CFCA_EV_ROOT.crt, mozilla/Chambers_of_Commerce_Root_-_2008.crt, 
mozilla/Comodo_AAA_Services_root.crt, 
mozilla/COMODO_Certification_Authority.crt, 
mozilla/COMODO_ECC_Certification_Authority.crt, 
mozilla/COMODO_RSA_Certification_Authority.crt, 
mozilla/Cybertrust_Global_Root.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt, 
mozilla/DigiCert_Assured_ID_Root_G2.crt, 
mozilla/DigiCert_Assured_ID_Root_G3.crt, mozilla/DigiCert_Global_Root_CA.crt, 
mozilla/DigiCert_Global_Root_G2.crt, mozilla/DigiCert_Global_Root_G3.crt, 
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, 
mozilla/DigiCert_Trusted_Root_G4.crt, mozilla/DST_Root_CA_X3.crt, 
mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt, 
mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt, mozilla/EC-ACC.crt, 
mozilla/EE_Certification_Centre_Root_CA.crt, 
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, 
mozilla/Entrust_Root_Certification_Authority.crt, 
mozilla/Entrust_Root_Certification_Authority_-_EC1.crt, 
mozilla/Entrust_Root_Certification_Authority_-_G2.crt, 
mozilla/ePKI_Root_Certification_Authority.crt, 
mozilla/E-Tugra_Certification_Authority.crt, 
mozilla/GDCA_TrustAUTH_R5_ROOT.crt, mozilla/GeoTrust_Universal_CA_2.crt, 
mozilla/Global_Chambersign_Root_-_2008.crt, 
mozilla/GlobalSign_ECC_Root_CA_-_R4.crt, 
mozilla/GlobalSign_ECC_Root_CA_-_R5.crt, mozilla/GlobalSign_Root_CA.crt, 
mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/GlobalSign_Root_CA_-_R3.crt, 
mozilla/GlobalSign_Root_CA_-_R6.crt, mozilla/Go_Daddy_Class_2_CA.crt, 
mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt, 
mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt, 
mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt, 
mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt, 
mozilla/Hongkong_Post_Root_CA_1.crt, 
mozilla/IdenTrust_Commercial_Root_CA_1.crt, 
mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt, 
mozilla/Izenpe.com.crt, mozilla/LuxTrust_Global_Root_2.crt, 
mozilla/Microsec_e-Szigno_Root_CA_2009.crt, 
mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt, 
mozilla/Network_Solutions_Certificate_Authority.crt, 
mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt, 
mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt, 
mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt, mozilla/QuoVadis_Root_CA_1_G3.crt, 
mozilla/QuoVadis_Root_CA_2.crt, mozilla/QuoVadis_Root_CA_2_G3.crt, 
mozilla/QuoVadis_Root_CA_3.crt, mozilla/QuoVadis_Root_CA_3_G3.crt, 
mozilla/QuoVadis_Root_CA.crt, mozilla/Secure_Global_CA.crt, 
mozilla/SecureSign_RootCA11.crt, mozilla/SecureTrust_CA.crt, 
mozilla/Security_Communication_RootCA2.crt, 
mozilla/Security_Communication_Root_CA.crt, mozilla/Sonera_Class_2_Root_CA.crt, 
mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt, 
mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt, 
mozilla/SSL.com_Root_Certification_Authority_ECC.crt, 
mozilla/SSL.com_Root_Certification_Authority_RSA.crt, 
mozilla/Staat_der_Nederlanden_EV_Root_CA.crt, 
mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt, 
mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt, 
mozilla/Starfield_Class_2_CA.crt, 
mozilla/Starfield_Root_Certificate_Authority_-_G2.crt, 
mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt, 
mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, 
mozilla/SZAFIR_ROOT_CA2.crt, mozilla/Taiwan_GRCA.crt, 
mozilla/TeliaSonera_Root_CA_v1.crt, mozilla/TrustCor_ECA-1.crt, 
mozilla/TrustCor_RootCert_CA-1.crt, mozilla/TrustCor_RootCert_CA-2.crt, 
mozilla/Trustis_FPS_Root_CA.crt, mozilla/T-TeleSec_GlobalRoot_Class_2.crt, 
mozilla/T-TeleSec_GlobalRoot_Class_3.crt, 
mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt, 
mozilla/TWCA_Global_Root_CA.crt, mozilla/TWCA_Root_Certification_Authority.crt, 
mozilla/USERTrust_ECC_Certification_Authority.crt, 
mozilla/USERTrust_RSA_Certification_Authority.crt, 
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/XRamp_Global_CA_Root.crt
  ca-certificates/title:
* ca-certificates/trust_new_crts: yes
  ca-certificates/new_crts:

--- End Message ---

--- Begin Message ---

Source: ca-certificates
Source-Version: 20210119
Done: Julien Cristau <jcris...@debian.org>

We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 962...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcris...@debian.org> (supplier of updated ca-certificates 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 19 Jan 2021 11:11:04 +0100
Source: ca-certificates
Architecture: source
Version: 20210119
Distribution: unstable
Urgency: medium
Maintainer: Julien Cristau <jcris...@debian.org>
Changed-By: Julien Cristau <jcris...@debian.org>
Closes: 942915 962079 962596 976406
Changes:
 ca-certificates (20210119) unstable; urgency=medium
 .
   [ Julien Cristau ]
   * New maintainer (closes: #976406)
   * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
     bundle to version 2.46.
     The following certificate authorities were added (+):
     + "certSIGN ROOT CA G2"
     + "e-Szigno Root CA 2017"
     + "Microsoft ECC Root Certificate Authority 2017"
     + "Microsoft RSA Root Certificate Authority 2017"
     + "NAVER Global Root Certification Authority"
     + "Trustwave Global Certification Authority"
     + "Trustwave Global ECC P256 Certification Authority"
     + "Trustwave Global ECC P384 Certification Authority"
     The following certificate authorities were removed (-):
     - "EE Certification Centre Root CA"
     - "GeoTrust Universal CA 2"
     - "LuxTrust Global Root 2"
     - "OISTE WISeKey Global Root GA CA"
     - "Staat der Nederlanden Root CA - G2" (closes: #962079)
     - "Taiwan GRCA"
     - "Verisign Class 3 Public Primary Certification Authority - G3"
 .
   [ Michael Shuler ]
   * mozilla/blacklist:
     Revert Symantec CA blacklist (#911289). Closes: #962596
     The following root certificates were added back (+):
     + "GeoTrust Primary Certification Authority - G2"
     + "VeriSign Universal Root Certification Authority"
 .
   [ Gianfranco Costamagna ]
   * debian/{rules,control}:
     Merge Ubuntu patch from Matthias Klose to use Python3 during build.
     Closes: #942915
Checksums-Sha1:
 49e22e00ef8c048e6380f9470d43dc6325679306 1868 ca-certificates_20210119.dsc
 c9875aa16e42981c6975e59a11727539053e2299 232964 ca-certificates_20210119.tar.xz
Checksums-Sha256:
 51e5c099ab976f50f4d2f3c5ea0ad49853024cdb3e630322cbd7e02b05a034f4 1868 
ca-certificates_20210119.dsc
 daa3afae563711c30a0586ddae4336e8e3974c2b627faaca404c4e0141b64665 232964 
ca-certificates_20210119.tar.xz
Files:
 0fc9d8d512961e7e9d5eab6d463555d8 1868 misc optional 
ca-certificates_20210119.dsc
 c02582bf9ae338e558617291897615eb 232964 misc optional 
ca-certificates_20210119.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAmAGtYgUHGpjcmlzdGF1
QGRlYmlhbi5vcmcACgkQnbAjVVb4z60ZxQ/+PtmmKdJcCwNl4/NPl5rXmWqZxO5T
/inuWWshhlO6wk1xYf4eWERbjsVFTp9mLG1qJoGfRUlJIdpp/fKuX4SBf+4oGsf9
0FdL8xYXC/s0Y8yHPj7YXQXNn3c76HzV+em9Ld0/S43ZRRrbDGzDEi8nEdpklCfu
Z2NuudOuK6JHvYr5tu7DeLmp6HXKnbemWq5J02YcIRzxgVZI0y4CETMAt5yhDgXR
0LbsVsSSNTFAjy+nfqIeZH3TtTdNCyEBJj64p1hVSafUD2luciSUYj1imEe3+dej
THqhoO7AmAI6yBGO61qdkRuiD1XqVevZ+hsviYXGT0Z4bwoz2rrKc5vyrlcAX7Pc
X5+sra56cHz2PaGZoosbDgRoyAKb+Nm9d/h/g9drSrNh2614CpqX0x2gQnxP0cws
YPgDrP0QgLad3QIhhT/gJFfPES865kP+2YJ/mesU8/xZXtt2hiNTcBKgJy5xHxsV
EEViSOyHNrIIkC+YC/qzDAXpCQG3lf3iKPJC9C+Tu8e/7/uMJkR9ky8unz3poMf+
LlcvW3YFj7egNyi5jDFeuYbUwWuyD1Y9wthUmWoL6jJNSkwEZUXJh0g7M6CywBp0
feiChpD90H3mi5WwPaJq/fyFMoQsAQzClh0xkak/AE6zsxwzbL4UImwo3UsO5sBv
lnA05I/Tz11jQag=
=qj/c
-----END PGP SIGNATURE-----

--- End Message ---