diff -Nru ca-certificates-20170717~14.04.2/debian/changelog ca-certificates-20170717~14.04.3/debian/changelog
--- ca-certificates-20170717~14.04.2/debian/changelog	2018-12-06 18:20:55.000000000 +0000
+++ ca-certificates-20170717~14.04.3/debian/changelog	2021-09-22 00:36:35.000000000 +0100
@@ -1,3 +1,12 @@
+ca-certificates (20170717~14.04.3) trusty; urgency=medium
+
+  * Distrust "DST Root CA X3" thus allowing connectivity with older TLS
+    software to letsencrypt websites in default configuration which have
+    alternative chains to both expired "DST Root CA X3" and valid "ISRG
+    Root X1". LP: #1944481
+
+ -- Dimitri John Ledkov <dimitri.ledkov@canonical.com>  Wed, 22 Sep 2021 00:36:35 +0100
+
 ca-certificates (20170717~14.04.2) trusty; urgency=medium
 
   * Add ca-certificates udeb package (LP: #1807023)
diff -Nru ca-certificates-20170717~14.04.2/mozilla/blacklist.txt ca-certificates-20170717~14.04.3/mozilla/blacklist.txt
--- ca-certificates-20170717~14.04.2/mozilla/blacklist.txt	2017-07-20 06:18:08.000000000 +0100
+++ ca-certificates-20170717~14.04.3/mozilla/blacklist.txt	2021-09-22 00:36:31.000000000 +0100
@@ -21,3 +21,4 @@
 "WoSign China"
 "Certification Authority of WoSign G2"
 "CA WoSign ECC Root"
+"DST Root CA X3"