New signatures for CAcert-Class 3-Subroot-certificate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ca-certificates (Debian) |
Fix Released
|
Unknown
|
|||
ca-certificates (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Binary package hint: ca-certificates
CAcert has re-signed its Class 3-certificate with a new SHA256 signature. The formerly used MD5 signature is not seen as fully secure any more by Mozilla (see: https:/
The procedure in short:
1. Download the new Class 3 PKI Key from http://
2. SHA1-fingerprint must be: AD:7C:3F:
3. Make it of use in the ca-certificates package
I have clicked the checkbox that this bug is a security vulnerability. Well, not in the package itself, and the file also not. But if not updated users experience errors and may find a security issue has occured when it has not, or will experience a security vulnerability because they have called a bad site with a hacked MD5 signature. So I consider this as a security issue of priority low. Nevertheless I would definitely recommend to include the update in all supported Ubuntu versions.
In case of further questions please don't hesitate to contact me.
Best regards,
Alexander Bahlo, CAcert.
visibility: | private → public |
Changed in ca-certificates (Ubuntu): | |
importance: | Undecided → Low |
status: | New → Confirmed |
Changed in ca-certificates (Debian): | |
status: | Unknown → New |
Changed in ca-certificates (Debian): | |
status: | New → Fix Committed |
Changed in ca-certificates (Debian): | |
status: | Fix Committed → Fix Released |
This bug was fixed in the package ca-certificates - 20111211
---------------
ca-certificates (20111211) unstable; urgency=low
* Clarify CA audit note in package description and README.debian. Thanks certdata. txt to version 1.80 certdata2pem. py to parse NETSCAPE or NSS data
to C.J. Adams-Collier for the patch. Closes: #594383
* Remove French Government IGC/A CA certificates. The RSA certificate is
included in the Mozilla bundle and the DSA certificate is not in use.
Closes: #646767
* Remove expired signet.pl CAs. Closes: #647849
* Remove expired brasil.gov.br CA.
* Edit 20111025 changelog/NEWS entries to correctly list installed CAs
* Use 'set -e' in body of debian/postinst
* Update mozilla/
(no added/removed CAs)
* Update mozilla/
-- Michael Shuler <email address hidden> Sun, 11 Dec 2011 19:05:32 -0600
ca-certificates (20111025) unstable; urgency=low
[ Michael Shuler ] certdata. txt to latest (NSS branch version 1.64.2.13) certificate Closes: #630232
* Add 3.0 (native) source format
* Add Vcs-Git/Browser fields
* Add myself as new Maintainer with Uploaders Closes: #588219
* Update mozilla/
Certificates added (+) and removed (-):
+ "AffirmTrust Commercial"
+ "AffirmTrust Networking"
+ "AffirmTrust Premium"
+ "AffirmTrust Premium ECC"
+ "A-Trust-nQual-03"
+ "Certinomis - Autorité Racine"
+ "Certum Trusted Network CA"
+ "Go Daddy Root Certificate Authority - G2"
+ "Root CA Generalitat Valenciana"
+ "Starfield Root Certificate Authority - G2"
+ "Starfield Services Root Certificate Authority - G2"
+ "TWCA Root Certification Authority"
- "AOL Time Warner Root Certification Authority 1"
- "AOL Time Warner Root Certification Authority 2"
- "DigiNotar Root CA"
- "Entrust.net Global Secure Personal CA"
- "Entrust.net Global Secure Server CA"
- "Entrust.net Secure Personal CA"
- "IPS Chained CAs root"
- "IPS CLASE1 root"
- "IPS CLASE3 root"
- "IPS CLASEA1 root"
- "IPS CLASEA3 root"
- "IPS Timestamping root"
- "Thawte Personal Freemail CA"
- "Thawte Time Stamping CA"
* Update CAcert-Class 3-Subroot-
[ Steve Langasek ] ca-certificates : move the ca-certificates.crt bundle out of
* sbin/update-
the way before calling c_rehash, so that symlinks don't accidentally get
pointed here, breaking openssl certificate verification LP: #854927
[ Loïc Minier ] certificates. crt was still in place; instead, call ca-certificates --fresh on upgrades to this version, and ca-certificates otherwise Closes: #643667, #537382
* Drop bogus c_rehash on upgrades, which caused issue when
ca-
update-
the usual update-
-- Michael Shuler <email address hidden> Tue, 25 Oct 2011 09:12:10 -0500
ca-certificates (20111022) unstable; urgency=low
* QA upload. Sanguino) . Closes...
* Fix pending l10n issues. Debconf translations:
- German (Helge Kreutzmann). Closes: #634000
- French (Christian Perrier). Closes: #634092
- Russian (Yuri Kozlov). Closes: #635146
- Swedish (Martin Bagge / brother). Closes: #640622
- Slovak (Slavko). Closes: #641987
- Spanish; (Javier Fernández-