Comment 1 Quality Assurance 2020-07-27 07:44:31 CEST

--- mirror/ftp/4.3/unmaintained/4.3-2/source/ca-certificates_20161130+nmu1+deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-5/source/ca-certificates_20200601~deb9u1.dsc
@@ -1,11 +1,153 @@
-20161130+nmu1+deb9u1 [Sat, 07 Jul 2018 01:08:40 +0200] Michael Shuler <michael@pbandjelly.org>:
+20200601~deb9u1 [Fri, 05 Jun 2020 11:52:50 -0500] Michael Shuler <michael@pbandjelly.org>:
 
+  * Rebuild for stretch.
+  * Merge changes from 20200601
+    - d/control
+  * This release updates the Mozilla CA bundle to 2.40, blacklists
+    distrusted Symantec roots, and blacklists expired "AddTrust External
+    Root". Closes: #956411, #955038, #911289, #961907
+  * Fix permissions on /usr/local/share/ca-certificates when using symlinks.
+    Closes: #916833
+  * Remove email-only roots from mozilla trust store. Closes: #721976
+
+20200601 [Mon, 01 Jun 2020 11:45:49 -0500] Michael Shuler <michael@pbandjelly.org>:
+
+  * debian/control:
+    Set Standards-Version: 4.5.0.2
+    Set Build-Depends: debhelper-compat (= 13)
+  * debian/copyright:
+    Replace tabs in license text
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.40.
+    Closes: #956411, #955038
+  * mozilla/blacklist.txt
+    Add distrusted Symantec CA list to blacklist for explicit removal.
+    Closes: #911289
+    Blacklist expired root certificate, "AddTrust External Root"
+    Closes: #961907
+    The following certificate authorities were added (+):
+    + "Certigna Root CA"
+    + "emSign ECC Root CA - C3"
+    + "emSign ECC Root CA - G3"
+    + "emSign Root CA - C1"
+    + "emSign Root CA - G1"
+    + "Entrust Root Certification Authority - G4"
+    + "GTS Root R1"
+    + "GTS Root R2"
+    + "GTS Root R3"
+    + "GTS Root R4"
+    + "Hongkong Post Root CA 3"
+    + "UCA Extended Validation Root"
+    + "UCA Global G2 Root"
+    The following certificate authorities were removed (-):
+    - "AddTrust External Root"
+    - "Certinomis - Root CA"
+    - "Certplus Class 2 Primary CA"
+    - "Deutsche Telekom Root CA 2"
+    - "GeoTrust Global CA"
+    - "GeoTrust Primary Certification Authority"
+    - "GeoTrust Primary Certification Authority - G2"
+    - "GeoTrust Primary Certification Authority - G3"
+    - "GeoTrust Universal CA"
+    - "thawte Primary Root CA"
+    - "thawte Primary Root CA - G2"
+    - "thawte Primary Root CA - G3"
+    - "VeriSign Class 3 Public Primary Certification Authority - G4"
+    - "VeriSign Class 3 Public Primary Certification Authority - G5"
+    - "VeriSign Universal Root Certification Authority"
+
+20190110 [Thu, 10 Jan 2019 19:31:31 -0600] Michael Shuler <michael@pbandjelly.org>:
+
+  * debian/control:
+    Depend on openssl (>= 1.1.1).
+    Set Standards-Version: 4.3.0.1.
+    Set Build-Depends: debhelper-compat (= 12); drop d/compat
+    Remove trailing whitespace from d/changelog.
+  * debian/ca-certificates.postinst:
+    Fix permissions on /usr/local/share/ca-certificates when using symlinks.
+    Closes: #916833
+  * sbin/update-ca-certificates:
+    Remove orphan symlinks found in /etc/ssl/certs to prevent `openssl
+    rehash` from exiting with an error. Closes: #895482, #895473
+    This will also fix removal of user CA certificates from /usr/local without
+    needing to run --fresh. Closes: #911303
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.28.
+    The following certificate authorities were added (+):
+    + "GlobalSign Root CA - R6"
+    + "OISTE WISeKey Global Root GC CA"
+    The following certificate authorities were removed (-):
+    - "Certplus Root CA G1"
+    - "Certplus Root CA G2"
+    - "OpenTrust Root CA G1"
+    - "OpenTrust Root CA G2"
+    - "OpenTrust Root CA G3"
+    - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+    - "Visa eCommerce Root"
+
+20180409 [Mon, 09 Apr 2018 18:43:49 -0500] Michael Shuler <michael@pbandjelly.org>:
+
+  [ Michael Shuler ]
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.22.
+    The following certificate authorities were added (+):
+    + "GDCA TrustAUTH R5 ROOT"
+    + "SSL.com EV Root Certification Authority ECC"
+    + "SSL.com EV Root Certification Authority RSA R2"
+    + "SSL.com Root Certification Authority ECC"
+    + "SSL.com Root Certification Authority RSA"
+    + "TrustCor ECA-1"
+    + "TrustCor RootCert CA-1"
+    + "TrustCor RootCert CA-2"
+    The following certificate authorities were removed (-):
+    - "ACEDICOM Root"
+    - "AddTrust Low-Value Services Root"
+    - "AddTrust Public Services Root"
+    - "AddTrust Qualified Certificates Root"
+    - "CA Disig Root R1"
+    - "CNNIC ROOT"
+    - "Camerfirma Chambers of Commerce Root"
+    - "Camerfirma Global Chambersign Root"
+    - "Certinomis - Autorité Racine"
+    - "Certum Root CA"
+    - "China Internet Network Information Center EV Certificates Root"
+    - "Comodo Secure Services root"
+    - "Comodo Trusted Services root"
+    - "DST ACES CA X6"
+    - "GeoTrust Global CA 2"
+    - "PSCProcert"
+    - "Security Communication EV RootCA1"
+    - "Swisscom Root CA 1"
+    - "Swisscom Root CA 2"
+    - "Swisscom Root EV CA 2"
+    - "TURKTRUST Certificate Services Provider Root 2007"
+    - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
+    - "UTN USERFirst Hardware Root CA"
+  * mozilla/blacklist.txt
+    Update blacklist to remove certificates no longer in certdata.txt and
+    explicitly ignore distrusted certificates.
+  * debian/copyright:
+    Fix lintian insecure-copyright-format-uri with https URL.
+  * debian/changelog:
+    Fix lintian file-contains-trailing-whitespace.
+  * debian/{compat,control}:
+    Set to debhelper compat 11.
+  * Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop
+    usage of `c_rehash` script. Closes: #895075
+
+  [ Thijs Kinkhorst ]
+  * Remove Christian Perrier from uploaders at his request (closes: #894070).
+  * Checked for policy 4.1.4, no changes.
+
+20170717 [Thu, 20 Jul 2017 00:18:08 -0500] Michael Shuler <michael@pbandjelly.org>:
+
+  * Update to Standards-Version: 4.0.1
   * debian/ca-certificates.postinst:
     Prevent postinst failure on read-only /usr/local. Closes: #843722
-  * debian/control:
-    Remove Christian Perrier from uploaders at his request. Closes: #894070
+  * mozilla/certdata2pem.py:
+    Remove email-only roots from mozilla trust store. Closes: #721976
   * mozilla/{certdata.txt,nssckbi.h}:
-    Update Mozilla certificate authority bundle to version 2.22.
+    Update Mozilla certificate authority bundle to version 2.14.
     Closes: #858064
     The following certificate authorities were added (+):
     + "AC RAIZ FNMT-RCM"
@@ -14,54 +156,32 @@
     + "Amazon Root CA 3"
     + "Amazon Root CA 4"
     + "D-TRUST Root CA 3 2013"
-    + "GDCA TrustAUTH R5 ROOT"
     + "LuxTrust Global Root 2"
-    + "SSL.com EV Root Certification Authority ECC"
-    + "SSL.com EV Root Certification Authority RSA R2"
-    + "SSL.com Root Certification Authority ECC"
-    + "SSL.com Root Certification Authority RSA"
-    + "Symantec Class 1 Public Primary Certification Authority - G4"
-    + "Symantec Class 1 Public Primary Certification Authority - G6"
-    + "Symantec Class 2 Public Primary Certification Authority - G4"
-    + "Symantec Class 2 Public Primary Certification Authority - G6"
-    + "TrustCor ECA-1"
-    + "TrustCor RootCert CA-1"
-    + "TrustCor RootCert CA-2"
     + "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
     The following certificate authorities were removed (-):
-    - "ACEDICOM Root"
-    - "AddTrust Public Services Root"
-    - "AddTrust Qualified Certificates Root"
+    - "AC Raiz Certicamara S.A."
     - "ApplicationCA - Japanese Government"
     - "Buypass Class 2 CA 1"
-    - "CA Disig Root R1"
-    - "Certinomis - Autorité Racine"
-    - "China Internet Network Information Center EV Certificates Root"
-    - "CNNIC ROOT"
-    - "Comodo Secure Services root"
-    - "Comodo Trusted Services root"
-    - "DST ACES CA X6"
+    - "ComSign CA"
     - "EBG Elektronik Sertifika Hizmet Saglayicisi"
     - "Equifax Secure CA"
     - "Equifax Secure eBusiness CA 1"
     - "Equifax Secure Global eBusiness CA"
-    - "GeoTrust Global CA 2"
     - "IGC/A"
     - "Juur-SK"
     - "Microsec e-Szigno Root CA"
-    - "PSCProcert"
     - "Root CA Generalitat Valenciana"
     - "RSA Security 2048 v3"
-    - "Security Communication EV RootCA1"
     - "S-TRUST Authentication and Encryption Root CA 2005 PN"
-    - "Swisscom Root CA 1"
-    - "Swisscom Root EV CA 2"
-    - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
-    - "TURKTRUST Certificate Services Provider Root 2007"
+    - "S-TRUST Universal Root CA"
+    - "SwissSign Platinum CA - G2"
+    - "TC TrustCenter Class 3 CA II"
     - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
-    - "UTN USERFirst Hardware Root CA"
+    - "UTN USERFirst Email Root CA"
     - "Verisign Class 1 Public Primary Certification Authority"
+    - "Verisign Class 1 Public Primary Certification Authority - G3"
     - "Verisign Class 2 Public Primary Certification Authority - G2"
+    - "Verisign Class 2 Public Primary Certification Authority - G3"
     - "Verisign Class 3 Public Primary Certification Authority"
     - "WellsSecure Public Root Certificate Authority"
 

<http://10.200.17.11/4.4-5/#2981212816199653241>

Comment 2 Philipp Hahn 2020-07-27 11:22:32 CEST

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-5] 621d84c148 Bug #51732: ca-certificates_20200601~deb9u1
 doc/errata/staging/ca-certificates.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

Comment 3 Erik Damrose 2020-07-29 15:43:06 CEST

<https://errata.software-univention.de/#/?erratum=4.4x652>