Hi,
I asked Fedora's ca-certificates maintainer to comment on this. I
didn't fully understand his reply, but he says this was some sort of
mistake in Debian's package and not an upstream problem:
https://bugzilla.redhat.com/show_bug.cgi?id=1845988#c3
"""
So mozilla lists relevent changes between NSS processing and the raw
cert trust database here:
https://wiki.mozilla.org/CA/Additional_Trust_Changes . NSS was indeed
whitelisting accepted intermediates, but it also didn't explicitly
removed the target CA's from the trust list. It now uses
CKA_NSS_SERVER_DISTRUST_AFTER to handle how it distrusts the given CA's.
I've verified that the cert has not been removed from the current trust
list, but CKA_NSS_SERVER_DISTRUST_AFTER has been set in the latest
version. This means if the certs issued from this CA was issued after
the specified date, then the trust would be distrusted, otherwise it
will continue to be trusted.
I suspect Debian took out the certs from the trust store altogether,
rather than process the list straight from mozilla.
Upshot: if you process CKA_NSS_SERVER_DISTRUST_AFTER, then you will get
safer behavior, otherwise the ca's are still trusted in the latest list.
"""
I suspect you have more broken certificates that need to be restored
than just GeoTrust.
Furthermore, last time we had a major Debian-specific certificate
verification issue, we discovered that Debian is not actually capable
of restoring previously-removed certificates without manual user
intervention, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339. That means
that even once these certificates are restored, users who have already
updated to the affected version of ca-certificates will suffer
permanently broken certificate verification unless they have found this
bug report and know to take manual intervention, because the
certificates will remain disabled locally.
Michael
