Ubuntu
ca-certificates package

ca-certificates isn't updated in LTS 16.04

Bug #1719851 reported by Danylo Hlynskyi
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Marc Deslauriers
Xenial
Fix Released
Undecided
Marc Deslauriers
Zesty
Fix Released
Undecided
Marc Deslauriers
Artful
Fix Released
Undecided
Marc Deslauriers

Bug Description

ca-certificates should contain root certificates for new CA from Amazon

They are added in version 20170717, The Artful Aardvark (pre-release freeze)
But that isn't reflected neither in zesty, nor backports or security

We recently got a letter from Amazon to update our SSL certs till October 25. Would be extremely great if ca-certificates will be updated via unattended upgrades in-time.

Marking as security, because several CAs were removed (compromised?).
Or maybe there is a reason, why root cert list isn't updated on LTS releases?

ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: ca-certificates 20161130
ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
Uname: Linux 4.10.0-21-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.5
Architecture: amd64
Date: Wed Sep 27 11:10:01 2017
Ec2AMI: ami-6edd3078
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1d
Ec2InstanceType: m3.medium
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
PackageArchitecture: all
SourcePackage: ca-certificates
UpgradeStatus: Upgraded to zesty on 2017-05-19 (131 days ago)

Revision history for this message
Danylo Hlynskyi (danbst) wrote :
Revision history for this message
Danylo Hlynskyi (danbst) wrote :

Looks like I've generated bug report from 17.04 version (which doesn't have an update too), but most of our EC2 instances use 16.04.3 LTS and are affected too

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public?

Changed in ca-certificates (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Zesty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates (Ubuntu Artful):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Fix Released
Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The ca-certificates package has been updated for all releases:

https://usn.ubuntu.com/usn/usn-3432-1/

Marking bug as Fix Released. Thanks!

Changed in ca-certificates (Ubuntu Trusty):
status: New → Fix Released
Changed in ca-certificates (Ubuntu Xenial):
status: New → Fix Released
Changed in ca-certificates (Ubuntu Zesty):
status: New → Fix Released
Revision history for this message
David Glasser (glasser) wrote :

I just saw this via the USN. I'm having trouble evaluating the urgency of this fix.

Is the issue:

- Without this, connecting to some sites will fail because of missing/lapsed CAs

or

- Without this, you'll probably get MITMed because you're trusting some insecure hacked CAs

?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Both. The new bundle added some new CAs, and also removed CAs that Mozilla has deemed no longer trustworthy or have requested to be removed.

Revision history for this message
Danylo Hlynskyi (danbst) wrote :

Sorry, I had misconfigured email notifications and didn't see your comments. But thanks for a quick fix!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.