Your message dated Thu, 13 Mar 2014 13:03:23 +0000
with message-id <[email protected]>
and subject line Bug#683403: fixed in ca-certificates 20140223
has caused the Debian Bug report #683403,
regarding ca-certificates: Missing Verisign md2 certs due to broken extract
script
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
683403: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683403
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ca-certificates
Version: 20111211
Severity: normal
Verisign shipped G1 PCA Roots with md2 signatures on them. At some point,
they resigned those roots using SHA1, but requested that the original certs
keep shipping in Mozilla's cert list as they had issued intermediates with
AKIs that point to the MD2 versions.
See discussion here:
https://groups.google.com/forum/?fromgroups#!msg/mozilla.dev.security.policy/I6bUbW3WkBU/lRxqGv6vYHYJ
Now, ca-certificates uses a script called "certdata2pem.py" to extract the
certificates from the certdata.txt file provided by Mozilla into individual
files. Unfortunately, the script names the certificate file using the
CKA_LABEL. In two instances, the verisign md2 and sha1 certs have the same
CKA_LABEL, so the script is overwriting the first one (md2) with the second
one (sha1).
This results in the Verisign md2 certs being missing from the system ca certs.
This usually isn't a problem except in the case where a website is handing
out a complete cert chain, including the md2 root cert. When that happens,
webkit is unable to verify the md2 root cert, and the connection fails.
See reproducer in downstream bug report here:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1031333
--- End Message ---
--- Begin Message ---
Source: ca-certificates
Source-Version: 20140223
We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Shuler <[email protected]> (supplier of updated ca-certificates
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 23 Feb 2014 23:22:29 -0600
Source: ca-certificates
Binary: ca-certificates
Architecture: source all
Version: 20140223
Distribution: unstable
Urgency: medium
Maintainer: Michael Shuler <[email protected]>
Changed-By: Michael Shuler <[email protected]>
Description:
ca-certificates - Common CA certificates
Closes: 635570 683403 718434 727136
Changes:
ca-certificates (20140223) unstable; urgency=medium
.
* No longer ship cacert.org certificates. Closes: #718434, LP: #1258286
* Fix certdata2pem.py for multiple CAs using the same CKA_LABEL. Thanks
to Marc Deslauriers for the patch. Closes: #683403, LP: #1031333
* Sort local CA certificates on update-ca-certificates runs. Thanks to
Vaclav Ovsik for the suggestion and patch. Closes: #727136
* Add trailing newline to certificate, if it is missing. Closes: #635570
* Update mozilla/certdata.txt to version 1.97.
Certificates added (+), removed (-), and renamed (~):
+ "ACCVRAIZ1"
+ "Atos TrustedRoot 2011"
+ "E-Tugra Certification Authority"
+ "SG TRUST SERVICES RACINE"
+ "T-TeleSec GlobalRoot Class 2"
+ "TWCA Global Root CA"
+ "TeliaSonera Root CA v1"
+ "Verisign Class 3 Public Primary Certification Authority"
~ "Verisign Class 3 Public Primary Certification Authority"_2
(both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
- "Entrust.net Secure Server CA"
- "Firmaprofesional Root CA"
- "GTE CyberTrust Global Root"
- "RSA Root Certificate 1"
- "TDC OCES Root CA"
- "ValiCert Class 1 VA"
- "ValiCert Class 2 VA"
- "Wells Fargo Root CA"
Checksums-Sha1:
5c16595be2d53faae390f91d8e46b292f100b2b8 1420 ca-certificates_20140223.dsc
ad57a45f0422fafd78a2e8191e5204f2306cc91b 274768 ca-certificates_20140223.tar.xz
be6a0d32c76ae4adaafc04aefb56bb00b5cc72ed 190226
ca-certificates_20140223_all.deb
Checksums-Sha256:
d3be3f9ecba77f7feb176cbc1fb1df2ad320b29368b53a3d9d9f70a0713d5ce3 1420
ca-certificates_20140223.dsc
815b7cd97200b0d76450bb3e7d9b65997ac494ab6467b17369f65b2ef94bcb0c 274768
ca-certificates_20140223.tar.xz
13cb11144a97d95a8be130e4bcdd6c9ffc3df269bb194699bcd21ca377e01df2 190226
ca-certificates_20140223_all.deb
Files:
fcf461554a554420e0359d7810269cc0 1420 misc optional
ca-certificates_20140223.dsc
ff4049c32342ea450cda82bb14026ffd 274768 misc optional
ca-certificates_20140223.tar.xz
555a2965e08517f0ef84a8810016f75b 190226 misc optional
ca-certificates_20140223_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJTIap0AAoJEFb2GnlAHawE+kAH/1QGWMJV89sAmclrYeeyDKvl
9PnaATmhoVow3yL+Qg/CBKUZeahlXrBdQt7QsItn6whH2NOQUiWbsprzImZdT3xo
GOHSWRBbjosmz1Uco1Iw2abdUIfPDnWvQEEo5oHnHg38s/3wcI/ADDTXkuf69PNT
joGdyBYsJyAH/ltw6WiwiKO0nYwAQv006d/Q9jn8rqOB0MIwx4EUR+Z/qtZRk++n
Xob/g6EsoqbKgB0MH4kqnhn1ZSKBQviTZOlhfkoe2KWfJZCpOmTmDYXdZb7Kh3TC
2nw+FC9ees/ccdwDrnGnif+Mp3CPGrXjbvDvH1kX04nFrP0fI86ClnNlE1VAnoQ=
=VLPi
-----END PGP SIGNATURE-----
--- End Message ---
