Univention Bugzilla – Bug 51732
ca-certificates: Multiple issues (4.4)
Last modified: 2020-07-29 15:43:06 CEST
New Debian ca-certificates 20200601~deb9u1 fixes: This update addresses the following issue: * The list of public SSL root certificates has been updated.
--- mirror/ftp/4.3/unmaintained/4.3-2/source/ca-certificates_20161130+nmu1+deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-5/source/ca-certificates_20200601~deb9u1.dsc @@ -1,11 +1,153 @@ -20161130+nmu1+deb9u1 [Sat, 07 Jul 2018 01:08:40 +0200] Michael Shuler <michael@pbandjelly.org>: +20200601~deb9u1 [Fri, 05 Jun 2020 11:52:50 -0500] Michael Shuler <michael@pbandjelly.org>: + * Rebuild for stretch. + * Merge changes from 20200601 + - d/control + * This release updates the Mozilla CA bundle to 2.40, blacklists + distrusted Symantec roots, and blacklists expired "AddTrust External + Root". Closes: #956411, #955038, #911289, #961907 + * Fix permissions on /usr/local/share/ca-certificates when using symlinks. + Closes: #916833 + * Remove email-only roots from mozilla trust store. Closes: #721976 + +20200601 [Mon, 01 Jun 2020 11:45:49 -0500] Michael Shuler <michael@pbandjelly.org>: + + * debian/control: + Set Standards-Version: 4.5.0.2 + Set Build-Depends: debhelper-compat (= 13) + * debian/copyright: + Replace tabs in license text + * mozilla/{certdata.txt,nssckbi.h}: + Update Mozilla certificate authority bundle to version 2.40. + Closes: #956411, #955038 + * mozilla/blacklist.txt + Add distrusted Symantec CA list to blacklist for explicit removal. + Closes: #911289 + Blacklist expired root certificate, "AddTrust External Root" + Closes: #961907 + The following certificate authorities were added (+): + + "Certigna Root CA" + + "emSign ECC Root CA - C3" + + "emSign ECC Root CA - G3" + + "emSign Root CA - C1" + + "emSign Root CA - G1" + + "Entrust Root Certification Authority - G4" + + "GTS Root R1" + + "GTS Root R2" + + "GTS Root R3" + + "GTS Root R4" + + "Hongkong Post Root CA 3" + + "UCA Extended Validation Root" + + "UCA Global G2 Root" + The following certificate authorities were removed (-): + - "AddTrust External Root" + - "Certinomis - Root CA" + - "Certplus Class 2 Primary CA" + - "Deutsche Telekom Root CA 2" + - "GeoTrust Global CA" + - "GeoTrust Primary Certification Authority" + - "GeoTrust Primary Certification Authority - G2" + - "GeoTrust Primary Certification Authority - G3" + - "GeoTrust Universal CA" + - "thawte Primary Root CA" + - "thawte Primary Root CA - G2" + - "thawte Primary Root CA - G3" + - "VeriSign Class 3 Public Primary Certification Authority - G4" + - "VeriSign Class 3 Public Primary Certification Authority - G5" + - "VeriSign Universal Root Certification Authority" + +20190110 [Thu, 10 Jan 2019 19:31:31 -0600] Michael Shuler <michael@pbandjelly.org>: + + * debian/control: + Depend on openssl (>= 1.1.1). + Set Standards-Version: 4.3.0.1. + Set Build-Depends: debhelper-compat (= 12); drop d/compat + Remove trailing whitespace from d/changelog. + * debian/ca-certificates.postinst: + Fix permissions on /usr/local/share/ca-certificates when using symlinks. + Closes: #916833 + * sbin/update-ca-certificates: + Remove orphan symlinks found in /etc/ssl/certs to prevent `openssl + rehash` from exiting with an error. Closes: #895482, #895473 + This will also fix removal of user CA certificates from /usr/local without + needing to run --fresh. Closes: #911303 + * mozilla/{certdata.txt,nssckbi.h}: + Update Mozilla certificate authority bundle to version 2.28. + The following certificate authorities were added (+): + + "GlobalSign Root CA - R6" + + "OISTE WISeKey Global Root GC CA" + The following certificate authorities were removed (-): + - "Certplus Root CA G1" + - "Certplus Root CA G2" + - "OpenTrust Root CA G1" + - "OpenTrust Root CA G2" + - "OpenTrust Root CA G3" + - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" + - "Visa eCommerce Root" + +20180409 [Mon, 09 Apr 2018 18:43:49 -0500] Michael Shuler <michael@pbandjelly.org>: + + [ Michael Shuler ] + * mozilla/{certdata.txt,nssckbi.h}: + Update Mozilla certificate authority bundle to version 2.22. + The following certificate authorities were added (+): + + "GDCA TrustAUTH R5 ROOT" + + "SSL.com EV Root Certification Authority ECC" + + "SSL.com EV Root Certification Authority RSA R2" + + "SSL.com Root Certification Authority ECC" + + "SSL.com Root Certification Authority RSA" + + "TrustCor ECA-1" + + "TrustCor RootCert CA-1" + + "TrustCor RootCert CA-2" + The following certificate authorities were removed (-): + - "ACEDICOM Root" + - "AddTrust Low-Value Services Root" + - "AddTrust Public Services Root" + - "AddTrust Qualified Certificates Root" + - "CA Disig Root R1" + - "CNNIC ROOT" + - "Camerfirma Chambers of Commerce Root" + - "Camerfirma Global Chambersign Root" + - "Certinomis - Autorité Racine" + - "Certum Root CA" + - "China Internet Network Information Center EV Certificates Root" + - "Comodo Secure Services root" + - "Comodo Trusted Services root" + - "DST ACES CA X6" + - "GeoTrust Global CA 2" + - "PSCProcert" + - "Security Communication EV RootCA1" + - "Swisscom Root CA 1" + - "Swisscom Root CA 2" + - "Swisscom Root EV CA 2" + - "TURKTRUST Certificate Services Provider Root 2007" + - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" + - "UTN USERFirst Hardware Root CA" + * mozilla/blacklist.txt + Update blacklist to remove certificates no longer in certdata.txt and + explicitly ignore distrusted certificates. + * debian/copyright: + Fix lintian insecure-copyright-format-uri with https URL. + * debian/changelog: + Fix lintian file-contains-trailing-whitespace. + * debian/{compat,control}: + Set to debhelper compat 11. + * Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop + usage of `c_rehash` script. Closes: #895075 + + [ Thijs Kinkhorst ] + * Remove Christian Perrier from uploaders at his request (closes: #894070). + * Checked for policy 4.1.4, no changes. + +20170717 [Thu, 20 Jul 2017 00:18:08 -0500] Michael Shuler <michael@pbandjelly.org>: + + * Update to Standards-Version: 4.0.1 * debian/ca-certificates.postinst: Prevent postinst failure on read-only /usr/local. Closes: #843722 - * debian/control: - Remove Christian Perrier from uploaders at his request. Closes: #894070 + * mozilla/certdata2pem.py: + Remove email-only roots from mozilla trust store. Closes: #721976 * mozilla/{certdata.txt,nssckbi.h}: - Update Mozilla certificate authority bundle to version 2.22. + Update Mozilla certificate authority bundle to version 2.14. Closes: #858064 The following certificate authorities were added (+): + "AC RAIZ FNMT-RCM" @@ -14,54 +156,32 @@ + "Amazon Root CA 3" + "Amazon Root CA 4" + "D-TRUST Root CA 3 2013" - + "GDCA TrustAUTH R5 ROOT" + "LuxTrust Global Root 2" - + "SSL.com EV Root Certification Authority ECC" - + "SSL.com EV Root Certification Authority RSA R2" - + "SSL.com Root Certification Authority ECC" - + "SSL.com Root Certification Authority RSA" - + "Symantec Class 1 Public Primary Certification Authority - G4" - + "Symantec Class 1 Public Primary Certification Authority - G6" - + "Symantec Class 2 Public Primary Certification Authority - G4" - + "Symantec Class 2 Public Primary Certification Authority - G6" - + "TrustCor ECA-1" - + "TrustCor RootCert CA-1" - + "TrustCor RootCert CA-2" + "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" The following certificate authorities were removed (-): - - "ACEDICOM Root" - - "AddTrust Public Services Root" - - "AddTrust Qualified Certificates Root" + - "AC Raiz Certicamara S.A." - "ApplicationCA - Japanese Government" - "Buypass Class 2 CA 1" - - "CA Disig Root R1" - - "Certinomis - Autorité Racine" - - "China Internet Network Information Center EV Certificates Root" - - "CNNIC ROOT" - - "Comodo Secure Services root" - - "Comodo Trusted Services root" - - "DST ACES CA X6" + - "ComSign CA" - "EBG Elektronik Sertifika Hizmet Saglayicisi" - "Equifax Secure CA" - "Equifax Secure eBusiness CA 1" - "Equifax Secure Global eBusiness CA" - - "GeoTrust Global CA 2" - "IGC/A" - "Juur-SK" - "Microsec e-Szigno Root CA" - - "PSCProcert" - "Root CA Generalitat Valenciana" - "RSA Security 2048 v3" - - "Security Communication EV RootCA1" - "S-TRUST Authentication and Encryption Root CA 2005 PN" - - "Swisscom Root CA 1" - - "Swisscom Root EV CA 2" - - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" - - "TURKTRUST Certificate Services Provider Root 2007" + - "S-TRUST Universal Root CA" + - "SwissSign Platinum CA - G2" + - "TC TrustCenter Class 3 CA II" - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" - - "UTN USERFirst Hardware Root CA" + - "UTN USERFirst Email Root CA" - "Verisign Class 1 Public Primary Certification Authority" + - "Verisign Class 1 Public Primary Certification Authority - G3" - "Verisign Class 2 Public Primary Certification Authority - G2" + - "Verisign Class 2 Public Primary Certification Authority - G3" - "Verisign Class 3 Public Primary Certification Authority" - "WellsSecure Public Root Certificate Authority" <http://10.200.17.11/4.4-5/#2981212816199653241>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-5] 621d84c148 Bug #51732: ca-certificates_20200601~deb9u1 doc/errata/staging/ca-certificates.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x652>