*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Jamie Strandboge (jdstrand):
Binary package hint: ca-certificates CAcert has re-signed its Class 3-certificate with a new SHA256 signature. The formerly used MD5 signature is not seen as fully secure any more by Mozilla (see: https://wiki.mozilla.org/CA:MD5and1024). Users of Mozilla products like Firefox, and Thunderbird may experience errors when these programs try to verify such certificates - others may follow. Hence all users of CAcert's Class 3-certificates have to download and install the newly signed certificates from CAcert's website. The procedure in short: 1. Download the new Class 3 PKI Key from http://www.cacert.org/index.php?id=3 2. SHA1-fingerprint must be: AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE 3. Make it of use in the ca-certificates package I have clicked the checkbox that this bug is a security vulnerability. Well, not in the package itself, and the file also not. But if not updated users experience errors and may find a security issue has occured when it has not, or will experience a security vulnerability because they have called a bad site with a hacked MD5 signature. So I consider this as a security issue of priority low. Nevertheless I would definitely recommend to include the update in all supported Ubuntu versions. In case of further questions please don't hesitate to contact me. Best regards, Alexander Bahlo, CAcert. ** Affects: ca-certificates (Ubuntu) Importance: Undecided Status: New ** Tags: cacert certificates md5 security -- New signatures for CAcert-Class 3-Subroot-certificate https://bugs.launchpad.net/bugs/796227 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
