Ubuntu
ca-certificates package

New signatures for CAcert-Class 3-Subroot-certificate

Bug #796227 reported by Alexander Bahlo
274
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ca-certificates (Debian)
Fix Released
Unknown
ca-certificates (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: ca-certificates

CAcert has re-signed its Class 3-certificate with a new SHA256 signature. The formerly used MD5 signature is not seen as fully secure any more by Mozilla (see: https://wiki.mozilla.org/CA:MD5and1024). Users of Mozilla products like Firefox, and Thunderbird may experience errors when these programs try to verify such certificates - others may follow. Hence all users of CAcert's Class 3-certificates have to download and install the newly signed certificates from CAcert's website.

The procedure in short:
1. Download the new Class 3 PKI Key from http://www.cacert.org/index.php?id=3
2. SHA1-fingerprint must be: AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
3. Make it of use in the ca-certificates package

I have clicked the checkbox that this bug is a security vulnerability. Well, not in the package itself, and the file also not. But if not updated users experience errors and may find a security issue has occured when it has not, or will experience a security vulnerability because they have called a bad site with a hacked MD5 signature. So I consider this as a security issue of priority low. Nevertheless I would definitely recommend to include the update in all supported Ubuntu versions.

In case of further questions please don't hesitate to contact me.

Best regards,
Alexander Bahlo, CAcert.

Jamie Strandboge (jdstrand)
visibility: private → public
Changed in ca-certificates (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in ca-certificates (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in ca-certificates (Debian):
status: New → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in ca-certificates (Debian):
status: Fix Committed → Fix Released
Revision history for this message
Micah Gersten (micahg) wrote :
Download full text (3.9 KiB)

This bug was fixed in the package ca-certificates - 20111211

---------------
ca-certificates (20111211) unstable; urgency=low

  * Clarify CA audit note in package description and README.debian. Thanks
    to C.J. Adams-Collier for the patch. Closes: #594383
  * Remove French Government IGC/A CA certificates. The RSA certificate is
    included in the Mozilla bundle and the DSA certificate is not in use.
    Closes: #646767
  * Remove expired signet.pl CAs. Closes: #647849
  * Remove expired brasil.gov.br CA.
  * Edit 20111025 changelog/NEWS entries to correctly list installed CAs
  * Use 'set -e' in body of debian/postinst
  * Update mozilla/certdata.txt to version 1.80
    (no added/removed CAs)
  * Update mozilla/certdata2pem.py to parse NETSCAPE or NSS data

 -- Michael Shuler <email address hidden> Sun, 11 Dec 2011 19:05:32 -0600

ca-certificates (20111025) unstable; urgency=low

  [ Michael Shuler ]
  * Add 3.0 (native) source format
  * Add Vcs-Git/Browser fields
  * Add myself as new Maintainer with Uploaders Closes: #588219
  * Update mozilla/certdata.txt to latest (NSS branch version 1.64.2.13)
    Certificates added (+) and removed (-):
    + "AffirmTrust Commercial"
    + "AffirmTrust Networking"
    + "AffirmTrust Premium"
    + "AffirmTrust Premium ECC"
    + "A-Trust-nQual-03"
    + "Certinomis - Autorité Racine"
    + "Certum Trusted Network CA"
    + "Go Daddy Root Certificate Authority - G2"
    + "Root CA Generalitat Valenciana"
    + "Starfield Root Certificate Authority - G2"
    + "Starfield Services Root Certificate Authority - G2"
    + "TWCA Root Certification Authority"
    - "AOL Time Warner Root Certification Authority 1"
    - "AOL Time Warner Root Certification Authority 2"
    - "DigiNotar Root CA"
    - "Entrust.net Global Secure Personal CA"
    - "Entrust.net Global Secure Server CA"
    - "Entrust.net Secure Personal CA"
    - "IPS Chained CAs root"
    - "IPS CLASE1 root"
    - "IPS CLASE3 root"
    - "IPS CLASEA1 root"
    - "IPS CLASEA3 root"
    - "IPS Timestamping root"
    - "Thawte Personal Freemail CA"
    - "Thawte Time Stamping CA"
  * Update CAcert-Class 3-Subroot-certificate Closes: #630232

  [ Steve Langasek ]
  * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of
    the way before calling c_rehash, so that symlinks don't accidentally get
    pointed here, breaking openssl certificate verification LP: #854927

  [ Loïc Minier ]
  * Drop bogus c_rehash on upgrades, which caused issue when
    ca-certificates.crt was still in place; instead, call
    update-ca-certificates --fresh on upgrades to this version, and
    the usual update-ca-certificates otherwise Closes: #643667, #537382

 -- Michael Shuler <email address hidden> Tue, 25 Oct 2011 09:12:10 -0500

ca-certificates (20111022) unstable; urgency=low

  * QA upload.
  * Fix pending l10n issues. Debconf translations:
    - German (Helge Kreutzmann). Closes: #634000
    - French (Christian Perrier). Closes: #634092
    - Russian (Yuri Kozlov). Closes: #635146
    - Swedish (Martin Bagge / brother). Closes: #640622
    - Slovak (Slavko). Closes: #641987
    - Spanish; (Javier Fernández-Sanguino). Closes...

Read more...

Changed in ca-certificates (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.