ca-certificates isn't updated in LTS 16.04

Bug #1719851 reported by Danylo Hlynskyi on 2017-09-27
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Status tracked in Artful
Trusty
Undecided
Marc Deslauriers
Xenial
Undecided
Marc Deslauriers
Zesty
Undecided
Marc Deslauriers
Artful
Undecided
Marc Deslauriers

Bug Description

ca-certificates should contain root certificates for new CA from Amazon

They are added in version 20170717, The Artful Aardvark (pre-release freeze)
But that isn't reflected neither in zesty, nor backports or security

We recently got a letter from Amazon to update our SSL certs till October 25. Would be extremely great if ca-certificates will be updated via unattended upgrades in-time.

Marking as security, because several CAs were removed (compromised?).
Or maybe there is a reason, why root cert list isn't updated on LTS releases?

ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: ca-certificates 20161130
ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
Uname: Linux 4.10.0-21-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.5
Architecture: amd64
Date: Wed Sep 27 11:10:01 2017
Ec2AMI: ami-6edd3078
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1d
Ec2InstanceType: m3.medium
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
PackageArchitecture: all
SourcePackage: ca-certificates
UpgradeStatus: Upgraded to zesty on 2017-05-19 (131 days ago)

Danylo Hlynskyi (danbst) wrote :
Danylo Hlynskyi (danbst) wrote :

Looks like I've generated bug report from 17.04 version (which doesn't have an update too), but most of our EC2 instances use 16.04.3 LTS and are affected too

Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public?

Changed in ca-certificates (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Zesty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Artful):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Fix Released
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur) wrote :

The ca-certificates package has been updated for all releases:

https://usn.ubuntu.com/usn/usn-3432-1/

Marking bug as Fix Released. Thanks!

Changed in ca-certificates (Ubuntu Trusty):
status: New → Fix Released
Changed in ca-certificates (Ubuntu Xenial):
status: New → Fix Released
Changed in ca-certificates (Ubuntu Zesty):
status: New → Fix Released
David Glasser (glasser) wrote :

I just saw this via the USN. I'm having trouble evaluating the urgency of this fix.

Is the issue:

- Without this, connecting to some sites will fail because of missing/lapsed CAs

or

- Without this, you'll probably get MITMed because you're trusting some insecure hacked CAs

?

Marc Deslauriers (mdeslaur) wrote :

Both. The new bundle added some new CAs, and also removed CAs that Mozilla has deemed no longer trustworthy or have requested to be removed.

Danylo Hlynskyi (danbst) wrote :

Sorry, I had misconfigured email notifications and didn't see your comments. But thanks for a quick fix!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers