Blacklist fraudulent UTN-USERFirst-Hardware certificates

Bug #741729 reported by giff gill on 2011-03-24
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ca-certificates
Undecided
auto-team
ca-certificates (Debian)
New
Undecided
Unassigned
ca-certificates (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
firefox (Ubuntu)
Undecided
Micah Gersten
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Micah Gersten
Maverick
Undecided
Micah Gersten
Natty
Undecided
Micah Gersten
nss (Ubuntu)
Undecided
Chris Coulson
Hardy
Medium
Micah Gersten
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Chris Coulson
qt4-x11 (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned

Bug Description

Binary package hint: firefox

Blacklist fraudulent UTN-USERFirst-Hardware certificates

http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/
https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
Fixed upstream in 3.6.16 and 4.0

for nss: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/de5774217cc33669#

Other packages are affected as well, e.g. ca-certificates, openssl, kdelibs, qt-x11, Java...?
and everything that depends on those: epiphany, konqueror, rekonq, wget, curl...

visibility: private → public
description: updated
summary: - Blocking Fraudulent Certificates
+ Blacklist fraudulent UTN-USERFirst-Hardware certificates
description: updated
description: updated
Paul C. Bryan (pbryan) wrote :

Does Ubuntu have a working group to determine which certificates should be included in its distributed software?

description: updated

As I understand it the debian ca-certificates is shipped more or less unmodified so no
also Bug #103074

description: updated
description: updated
Jamie Strandboge (jdstrand) wrote :
Changed in firefox (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
status: New → Fix Released
Changed in kdelibs (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
status: New → In Progress
Changed in nss (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
status: New → In Progress
Changed in ca-certificates (Ubuntu):
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

3.12.9+ckbi-1.82-0ubuntu1 uploaded to Natty.

Changed in nss (Ubuntu):
assignee: Micah Gersten (micahg) → Chris Coulson (chrisccoulson)
status: In Progress → Fix Released
Jamie Strandboge (jdstrand) wrote :

qt4-x11 is being tracked in bug #742377.

affects: kdelibs (Ubuntu) → qt4-x11 (Ubuntu)
Changed in qt4-x11 (Ubuntu):
assignee: Micah Gersten (micahg) → nobody
status: In Progress → Invalid
Micah Gersten (micahg) on 2011-03-28
Changed in firefox (Ubuntu Hardy):
status: New → Invalid
Changed in nss (Ubuntu Hardy):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu0.8.04.1

---------------
nss (3.12.9+ckbi-1.82-0ubuntu0.8.04.1) hardy-security; urgency=low

  * New upstream release v3.12.9 with updated ckbi module
    (NSS_3_12_9_WITH_CKBI_1_82_RTM)
    - SECURITY UPDATE: Update "builtin certificates" module (ckbi) to
      explicitly mark the recently issued and revoked fraudulent certificates
      as explicitly not trusted; NSS will report SEC_ERROR_UNTRUSTED_CERT when
      attempting to verify one of these fraudulent certificates (LP: #741729)
  * Add new symbols
    - update debian/libnss3-1d.symbols
 -- Micah Gersten <email address hidden> Mon, 28 Mar 2011 03:30:20 -0500

Changed in nss (Ubuntu Hardy):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu0.10.04.1

---------------
nss (3.12.9+ckbi-1.82-0ubuntu0.10.04.1) lucid-security; urgency=low

  * New upstream release v3.12.9 with updated ckbi module
    (NSS_3_12_9_WITH_CKBI_1_82_RTM)
    - SECURITY UPDATE: Update "builtin certificates" module (ckbi) to
      explicitly mark the recently issued and revoked fraudulent certificates
      as explicitly not trusted; NSS will report SEC_ERROR_UNTRUSTED_CERT when
      attempting to verify one of these fraudulent certificates (LP: #741729)
  * Add new symbols
    - update debian/libnss3-1d.symbols
 -- Micah Gersten <email address hidden> Mon, 28 Mar 2011 14:55:05 -0500

Changed in nss (Ubuntu Lucid):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu0.10.10.1

---------------
nss (3.12.9+ckbi-1.82-0ubuntu0.10.10.1) maverick-security; urgency=low

  * New upstream release v3.12.9 with updated ckbi module
    (NSS_3_12_9_WITH_CKBI_1_82_RTM)
    - SECURITY UPDATE: Update "builtin certificates" module (ckbi) to
      explicitly mark the recently issued and revoked fraudulent certificates
      as explicitly not trusted; NSS will report SEC_ERROR_UNTRUSTED_CERT when
      attempting to verify one of these fraudulent certificates (LP: #741729)
  * Add new symbols
    - update debian/libnss3-1d.symbols
 -- Micah Gersten <email address hidden> Tue, 29 Mar 2011 03:13:10 -0500

Changed in nss (Ubuntu Maverick):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu0.9.10.1

---------------
nss (3.12.9+ckbi-1.82-0ubuntu0.9.10.1) karmic-security; urgency=low

  * New upstream release v3.12.9 with updated ckbi module
    (NSS_3_12_9_WITH_CKBI_1_82_RTM)
    - SECURITY UPDATE: Update "builtin certificates" module (ckbi) to
      explicitly mark the recently issued and revoked fraudulent certificates
      as explicitly not trusted; NSS will report SEC_ERROR_UNTRUSTED_CERT when
      attempting to verify one of these fraudulent certificates (LP: #741729)
  * Add new symbols
    - update debian/libnss3-1d.symbols
 -- Micah Gersten <email address hidden> Mon, 28 Mar 2011 04:04:10 -0500

Changed in nss (Ubuntu Karmic):
status: New → Fix Released
Changed in ca-certificates (Ubuntu Natty):
status: Triaged → Won't Fix
Micah Gersten (micahg) wrote :

Marking tasks as Won't Fix for now since ca-certificates has no blacklist functionality at the moment and we don't want to diverge from Debian. If Debian adds this functionality, we will revisit this.

Changed in ca-certificates (Ubuntu Maverick):
status: New → Won't Fix
Changed in ca-certificates (Ubuntu Lucid):
status: New → Won't Fix
Changed in ca-certificates (Ubuntu Karmic):
status: New → Won't Fix
Changed in ca-certificates (Ubuntu Hardy):
status: New → Invalid
status: Invalid → Won't Fix
Micah Gersten (micahg) wrote :

qt4-x11 was fixed in bug #742377

Changed in qt4-x11 (Ubuntu Maverick):
status: New → Invalid
Changed in qt4-x11 (Ubuntu Lucid):
status: New → Invalid
Changed in qt4-x11 (Ubuntu Karmic):
status: New → Invalid
Changed in qt4-x11 (Ubuntu Hardy):
status: New → Invalid
Micah Gersten (micahg) on 2011-04-15
Changed in ca-certificates (Ubuntu):
status: Triaged → Won't Fix

how can i unsubscribe this ?

greatings
jochen

Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in firefox (Ubuntu Karmic):
status: New → Won't Fix
Changed in firefox (Ubuntu Lucid):
status: New → Triaged
assignee: nobody → Micah Gersten (micahg)
Changed in firefox (Ubuntu Maverick):
status: New → Triaged
assignee: nobody → Micah Gersten (micahg)
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in firefox (Ubuntu Maverick):
status: Triaged → Won't Fix
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in firefox (Ubuntu Lucid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.