Comment 1 for bug 1553819

The point of the USN-2865-1 security update was to remove support for RSA-MD5 certificates which are considered insecure and were previously accepted in GnuTLS because of a design flaw.

See the following for more information:

http://lists.gnutls.org/pipermail/gnutls-devel/2015-April/007572.html
http://www.ubuntu.com/usn/usn-2865-1/

Please also see the following cacert.org announcement:

http://blog.cacert.org/2015/12/re-signing-root-certificate/