This bug was fixed in the package ca-certificates - 20210119~20.10.1
---------------
ca-certificates (20210119~20.10.1) groovy-security; urgency=medium
* Update ca-certificates database to 20210119 (LP: #1914064):
- mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate
authority bundle to version 2.46.
- backport certain changes from the Ubuntu 20.10 20210119 package
* mozilla/blacklist.txt: revert Symantec CA blacklist (LP: #1913951)
The following root certificates were added back (+):
+ "GeoTrust Primary Certification Authority - G2"
+ "VeriSign Universal Root Certification Authority"
-- Marc Deslauriers <marc.deslauri...@ubuntu.com> Mon, 01 Feb 2021
10:14:19 -0500
** Changed in: ca-certificates (Ubuntu Groovy)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1913951
Title:
ca-certificates: Symantec CA blacklisted for non-TLS uses
Status in ca-certificates package in Ubuntu:
Fix Committed
Status in ca-certificates source package in Groovy:
Fix Released
Status in ca-certificates source package in Hirsute:
Fix Committed
Status in ca-certificates package in Debian:
Fix Committed
Bug description:
~$ lsb_release -rd
Description: Ubuntu 20.10
Release: 20.10
~$ apt list --installed | grep ca-certificates
WARNING: apt does not have a stable CLI interface. Use with caution in
scripts.
ca-certificates/groovy-updates,groovy-security,now
20201027ubuntu0.20.10.1 all [installed,automatic]
Repro steps:
1. Open Terminal.
2. Execute:
wget https://dot.net/v1/dotnet-install.sh
chmod +x ./dotnet-install.sh
./dotnet-install.sh -c 5.0
export DOTNET_ROOT=$HOME/.dotnet
export PATH=$PATH:$HOME/.dotnet
dotnet new console
dotnet add package System.Collections.Immutable
Expected result:
Package restore will succeed.
Actual result:
Package restore fails with:
error: NU3028: Package 'System.Collections.Immutable 5.0.0' from
source 'https://api.nuget.org/v3/index.json': The author primary
signature's timestamp found a chain building issue: UntrustedRoot:
self signed certificate in certificate chain
There has been a planned process to distrust Symantec certificates in the
certificate store over the past two years. The Debian ca-certificates package
removed this CA for both TLS (expected) and other uses (like timestamping)
(unexpected). Trust was added back in a subsequent update. See
https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2
for details.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
