Debian Bug report logs - #806239
ca-certificates: Contains unaudited root CAs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andrew Ayer <agwa@andrewayer.name>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ca-certificates: Contains unaudited root CAs

Date: Wed, 25 Nov 2015 09:28:18 -0800 (PST)

Package: ca-certificates
Version: 20150426
Severity: important

Dear maintainer and security team,

ca-certificates hasn't been updated since April 2015.  Since then, 14
CAs have been removed from the NSS root store[1, 2].  ca-certificates in
stable hasn't been updated since October 2014.  Since then, 6 additional
CAs have been removed[3, 4].  ca-certificates in oldstable is even older.

This is concerning because some of the removed CAs have failed or are no
longer conducting audits, which means we have no idea what security
practices they are currently following.  Applications on Debian
which use the ca-certificates store still trust these CAs, putting
users at risk.  For example, the e-Guven root certificate, which
was removed from the NSS store in April due to "insufficient and outdated
audits"[5, 6], continues to be trusted in stable and oldstable.

First, could we get an update soon to ca-certificates that reflects these
removals?

Second, could ca-certificates be updated more frequently in the future?
Security Team, could updates to ca-certificates be pushed out through
security.debian.org for (old)stable?

If there is an issue of manpower, I'm willing to help co-maintain
ca-certificates (I'm a DM) and prepare packages for security.debian.org.
We're lucky that Mozilla runs such a great root program: it's thorough
and responsive, and aligns with Debian's values by being open and
community-driven.  Let's take full advantage of it in Debian!

Thanks,
Andrew


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1214729
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1175227
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1145270
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1088147
[5] https://blog.mozilla.org/security/2015/04/27/removing-e-guven-ca-certificate/
[6] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/LKJO9W5dkSY

Message #10 received at 806239@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: Andrew Ayer <agwa@andrewayer.name>, 806239@bugs.debian.org

Subject: Re: Bug#806239: ca-certificates: Contains unaudited root CAs

Date: Wed, 25 Nov 2015 12:30:18 -0600

Control: tags -1 + pending

On 11/25/2015 11:28 AM, Andrew Ayer wrote:
> ca-certificates hasn't been updated since April 2015.  Since then, 14
> CAs have been removed from the NSS root store[1, 2].  ca-certificates in
> stable hasn't been updated since October 2014.  Since then, 6 additional
> CAs have been removed[3, 4].  ca-certificates in oldstable is even older.

The April release contained the 2.4 bundle from Mozilla. CA bundle 2.5
was recently released in NSS and an upload to unstable is being prepped.

Main git repo:
http://anonscm.debian.org/cgit/collab-maint/ca-certificates.git

My working git repo (ie, bundle 2.6 is already branched):
http://anonscm.debian.org/cgit/users/mshuler-guest/ca-certificates.git

> This is concerning because some of the removed CAs have failed or are no
> longer conducting audits, which means we have no idea what security
> practices they are currently following.  Applications on Debian
> which use the ca-certificates store still trust these CAs, putting
> users at risk.  For example, the e-Guven root certificate, which
> was removed from the NSS store in April due to "insufficient and outdated
> audits"[5, 6], continues to be trusted in stable and oldstable.
> 
> First, could we get an update soon to ca-certificates that reflects these
> removals?

Yes.

> Second, could ca-certificates be updated more frequently in the future?
> Security Team, could updates to ca-certificates be pushed out through
> security.debian.org for (old)stable?

For stable/oldstable releases, it may be appropriate for them to go
through the stable-updates suite.

> If there is an issue of manpower, I'm willing to help co-maintain
> ca-certificates (I'm a DM) and prepare packages for security.debian.org.
> We're lucky that Mozilla runs such a great root program: it's thorough
> and responsive, and aligns with Debian's values by being open and
> community-driven.  Let's take full advantage of it in Debian!

I try to track upstream releases and attend to bug reports as quickly as
possible, but patches are always welcomed. With several uploaders, I'm
not sure there needs to be another uploader, but sending patches to fix
things in the BTS would certainly be helpful.

Thanks!
Michael

Message #17 received at 806239@bugs.debian.org (full text, mbox, reply):

From: Andrew Ayer <agwa@andrewayer.name>

To: 806239@bugs.debian.org

Subject: Re: Bug#806239: ca-certificates: Contains unaudited root CAs

Date: Wed, 25 Nov 2015 13:13:04 -0800

Hi Michael,

On Wed, 25 Nov 2015 12:30:18 -0600
Michael Shuler <michael@pbandjelly.org> wrote:

> Control: tags -1 + pending
> 
> On 11/25/2015 11:28 AM, Andrew Ayer wrote:
> > ca-certificates hasn't been updated since April 2015.  Since then,
> > 14 CAs have been removed from the NSS root store[1, 2].
> > ca-certificates in stable hasn't been updated since October 2014.
> > Since then, 6 additional CAs have been removed[3, 4].
> > ca-certificates in oldstable is even older.
> 
> The April release contained the 2.4 bundle from Mozilla. CA bundle 2.5
> was recently released in NSS and an upload to unstable is being
> prepped.

I'm not sure what these version numbers are.  NSS 3.19.3 was released
on August 7 and removed 5 CAs[1].  So why no release of ca-certificates
until now?

[1] https://groups.google.com/forum/#!topic/mozilla.dev.tech.crypto/CIrDdx1e9EI

> Main git repo:
> http://anonscm.debian.org/cgit/collab-maint/ca-certificates.git
> 
> My working git repo (ie, bundle 2.6 is already branched):
> http://anonscm.debian.org/cgit/users/mshuler-guest/ca-certificates.git
> 
> > This is concerning because some of the removed CAs have failed or
> > are no longer conducting audits, which means we have no idea what
> > security practices they are currently following.  Applications on
> > Debian which use the ca-certificates store still trust these CAs,
> > putting users at risk.  For example, the e-Guven root certificate,
> > which was removed from the NSS store in April due to "insufficient
> > and outdated audits"[5, 6], continues to be trusted in stable and
> > oldstable.
> > 
> > First, could we get an update soon to ca-certificates that reflects
> > these removals?
> 
> Yes.

Thank you!

> > Second, could ca-certificates be updated more frequently in the
> > future? Security Team, could updates to ca-certificates be pushed
> > out through security.debian.org for (old)stable?
> 
> For stable/oldstable releases, it may be appropriate for them to go
> through the stable-updates suite.

OK.  As a data package that needs timely updating, it should qualify
for stable-updates.  As I understand the process, this requires
uploading to proposed-updates, and then the Stable Release Managers
pull it over to stable-updates[2].

[2] https://wiki.debian.org/StableUpdates

> > If there is an issue of manpower, I'm willing to help co-maintain
> > ca-certificates (I'm a DM) and prepare packages for
> > security.debian.org. We're lucky that Mozilla runs such a great
> > root program: it's thorough and responsive, and aligns with
> > Debian's values by being open and community-driven.  Let's take
> > full advantage of it in Debian!
> 
> I try to track upstream releases and attend to bug reports as quickly
> as possible, but patches are always welcomed. With several uploaders,
> I'm not sure there needs to be another uploader, but sending patches
> to fix things in the BTS would certainly be helpful.

Great! I will pay attention to your Git repo and do what I can to help
out.

Thanks,
Andrew

Message #22 received at 806239@bugs.debian.org (full text, mbox, reply):

From: Andrew Ayer <agwa@andrewayer.name>

To: debian-release@lists.debian.org

Cc: 806239@bugs.debian.org

Subject: Updating ca-certificates through stable-updates

Date: Wed, 25 Nov 2015 13:18:19 -0800

Hi Stable Release Managers,

We're currently discussing in #806239 how to keep the
ca-certificates package more up-to-date in (old)stable.  Since
ca-certificates is a data package that needs timely updating (when CAs
are removed due to lapsed audits, they should be distrusted
immediately), it satisfies the criteria for stable-updates posted here:

	https://www.debian.org/News/2011/20110215

I just wanted to confirm that the SRMs would be OK pushing out new
ca-certificates packages through stable-updates.

Thanks,
Andrew

Message #27 received at 806239@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: 806239@bugs.debian.org

Cc: Andrew Ayer <agwa@andrewayer.name>

Subject: Re: Bug#806239: ca-certificates: Contains unaudited root CAs

Date: Wed, 25 Nov 2015 17:43:20 -0600

On 11/25/2015 03:13 PM, Andrew Ayer wrote:
>> The April release contained the 2.4 bundle from Mozilla. CA bundle 2.5
>> was recently released in NSS and an upload to unstable is being
>> prepped.

I was incorrect about the NSS release relative time being as recent as I
recalled. See below.

> I'm not sure what these version numbers are.  NSS 3.19.3 was released
> on August 7 and removed 5 CAs[1].  So why no release of ca-certificates
> until now?
> 
> [1] https://groups.google.com/forum/#!topic/mozilla.dev.tech.crypto/CIrDdx1e9EI

A ca-certificates version 2.5 example - it's contained in
mozilla/nssckbi.h in the ca-certificates package repo:
https://bugzilla.mozilla.org/show_bug.cgi?id=1190794

Thanks for the mailing list link. I follow the NSS mercurial repository
commits via RSS and check for merges from NSS dev to firefox release
repos. Looks like I checked on 10/22 to see if 2.5 was in the release
tree, but it was not, yet. The release tree I'm checking against is for
firefox releases, so this would be the real-world majority of users
getting CA updates. I started checking against actual firefox releases
after the 1024-bit removal, reinstatement, removal again issues.. I
don't think that cycle ever made it to a firefox release.

http://anonscm.debian.org/cgit/users/mshuler-guest/ca-certificates.git/commit/?id=f0d320ad9c517d8c5d2e308ec99e470df4cef938
"- would be nice if they would release NSS sometime soon with this
version.."

Obviously, it looks like I'll need to figure out a different way to
track releases if we want to be spot-on with NSS releases. Yet another
mailing list might be the only answer..

Feel free to add a BTS report when new NSS versions are released.

Thanks again for the feedback.
Michael

Message #32 received at 806239@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: debian-release@lists.debian.org

Cc: 806239@bugs.debian.org

Subject: Re: Updating ca-certificates through stable-updates

Date: Fri, 4 Dec 2015 23:36:57 -0600

On 11/25/2015 03:18 PM, Andrew Ayer wrote:
> Hi Stable Release Managers,
> 
> We're currently discussing in #806239 how to keep the
> ca-certificates package more up-to-date in (old)stable.  Since
> ca-certificates is a data package that needs timely updating (when CAs
> are removed due to lapsed audits, they should be distrusted
> immediately), it satisfies the criteria for stable-updates posted here:
> 
> 	https://www.debian.org/News/2011/20110215
> 
> I just wanted to confirm that the SRMs would be OK pushing out new
> ca-certificates packages through stable-updates.

Hi release team,

I just requested an upload of ca-certificates (20151204) to unstable,
and I would like to follow that up with stable-pu and oldstable-pu
updates to include the current Mozilla CA bundle changes for jessie and
wheezy.

I appears that I did a wheezy-pu update last year on #743156, but wanted
to clarify if these upcoming uploads will be acceptable.

-- 
Thank you!
Michael

Message #37 received at 806239@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>

To: Michael Shuler <michael@pbandjelly.org>, debian-release@lists.debian.org

Cc: 806239@bugs.debian.org, Andrew Ayer <agwa@andrewayer.name>

Subject: Re: Updating ca-certificates through stable-updates

Date: Sat, 5 Dec 2015 07:13:19 +0000

[Message part 1 (text/plain, inline)]

Michael Shuler:
> On 11/25/2015 03:18 PM, Andrew Ayer wrote:
>> Hi Stable Release Managers,
>>
>> We're currently discussing in #806239 how to keep the
>> ca-certificates package more up-to-date in (old)stable.  Since
>> ca-certificates is a data package that needs timely updating (when CAs
>> are removed due to lapsed audits, they should be distrusted
>> immediately), it satisfies the criteria for stable-updates posted here:
>>
>> 	https://www.debian.org/News/2011/20110215
>>
>> I just wanted to confirm that the SRMs would be OK pushing out new
>> ca-certificates packages through stable-updates.
> 
> Hi release team,
> 
> I just requested an upload of ca-certificates (20151204) to unstable,
> and I would like to follow that up with stable-pu and oldstable-pu
> updates to include the current Mozilla CA bundle changes for jessie and
> wheezy.
> 
> I appears that I did a wheezy-pu update last year on #743156, but wanted
> to clarify if these upcoming uploads will be acceptable.
> 

Hi,

Thanks for the interest in patching ca-certificates in the stable releases.

Could I perhaps convince you to file this (kind of) request as a pu bug?
 They are much easier for us to track than mails to the mailing list.
  I appreciate that you might have been sending this mail to avoid the
pu-bug.  Unfortunately, we often end up forgetting the mail on our TODO
list if it is not listed in the bug tracker.

Thanks,
~Niels

[signature.asc (application/pgp-signature, attachment)]

Message #40 received at 806239@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>

To: Michael Shuler <michael@pbandjelly.org>, debian-release@lists.debian.org, 806239@bugs.debian.org, Andrew Ayer <agwa@andrewayer.name>

Subject: Re: Updating ca-certificates through stable-updates

Date: Sat, 5 Dec 2015 23:25:31 +0100

[Message part 1 (text/plain, inline)]

> Could I perhaps convince you to file this (kind of) request as a pu bug?
>  They are much easier for us to track than mails to the mailing list.
>   I appreciate that you might have been sending this mail to avoid the
> pu-bug.  Unfortunately, we often end up forgetting the mail on our TODO
> list if it is not listed in the bug tracker.

There's that and it helps to look at the debdiff to see what the actual
changes are. Cert updates are likely to be much easier on us than
packaging/script updates.

Kind regards
Philipp Kern

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 806239@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: debian-release@lists.debian.org, 806239@bugs.debian.org, Andrew Ayer <agwa@andrewayer.name>

Subject: Re: Updating ca-certificates through stable-updates

Date: Sat, 5 Dec 2015 20:53:02 -0600

[Message part 1 (text/plain, inline)]

On 12/05/2015 04:25 PM, Philipp Kern wrote:
>> Could I perhaps convince you to file this (kind of) request as a pu bug?
>>  They are much easier for us to track than mails to the mailing list.
>>   I appreciate that you might have been sending this mail to avoid the
>> pu-bug.  Unfortunately, we often end up forgetting the mail on our TODO
>> list if it is not listed in the bug tracker.
> 
> There's that and it helps to look at the debdiff to see what the actual
> changes are. Cert updates are likely to be much easier on us than
> packaging/script updates.

I'll go ahead and get the packages built and open up a pu bug with the
debdiffs. Thanks!

-- 
Kind regards,
Michael

[signature.asc (application/pgp-signature, attachment)]

Message #50 received at 806239@bugs.debian.org (full text, mbox, reply):

From: Andrew Ayer <agwa@andrewayer.name>

To: 806239@bugs.debian.org

Subject: Re: Bug#806239: Updating ca-certificates through stable-updates

Date: Mon, 14 Dec 2015 16:22:46 -0800

On Fri, 4 Dec 2015 23:36:57 -0600
Michael Shuler <michael@pbandjelly.org> wrote:
 
> Hi release team,
> 
> I just requested an upload of ca-certificates (20151204) to unstable,
> and I would like to follow that up with stable-pu and oldstable-pu
> updates to include the current Mozilla CA bundle changes for jessie
> and wheezy.

Hi Michael,

I'm curious why the 2.6 update wasn't included with the 20151204
release.

I've been told that one of the roots that was removed in the 2.6 update
is going to be used by the CA to issue certificates that violate the
Baseline Requirements[1].  It would be nice for Debian to stop trusting
it before the CA starts doing this.

Thanks,
Andrew

[1] This root is in addition to the Symantec root I mentioned in
#721976. Indeed, multiple CAs are doing this, which underscores the
need for timely root store updates.

Message #55 received at 806239@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: Andrew Ayer <agwa@andrewayer.name>, 806239@bugs.debian.org

Cc: Thijs Kinkhorst <thijs@debian.org>, Raphael Geissert <geissert@debian.org>

Subject: Re: Bug#806239: Updating ca-certificates through stable-updates

Date: Mon, 14 Dec 2015 18:36:15 -0600

On 12/14/2015 06:22 PM, Andrew Ayer wrote:
> I'm curious why the 2.6 update wasn't included with the 20151204
> release.

Thanks.

Thijs and/or Raphael. Please, hold until some additional changes can be
committed to include 2.6.

NSS released 2.6 while working on 2.5, essentially, Andrew.

-- 
Michael

Message #60 received at 806239-close@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: 806239-close@bugs.debian.org

Subject: Bug#806239: fixed in ca-certificates 20141019+deb8u1

Date: Tue, 05 Jan 2016 22:47:09 +0000

Source: ca-certificates
Source-Version: 20141019+deb8u1

We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 806239@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Shuler <michael@pbandjelly.org> (supplier of updated ca-certificates package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 14 Dec 2015 20:46:50 -0600
Source: ca-certificates
Binary: ca-certificates
Architecture: source all
Version: 20141019+deb8u1
Distribution: stable
Urgency: medium
Maintainer: Michael Shuler <michael@pbandjelly.org>
Changed-By: Michael Shuler <michael@pbandjelly.org>
Description:
 ca-certificates - Common CA certificates
Closes: 806239
Changes:
 ca-certificates (20141019+deb8u1) stable; urgency=medium
 .
   * mozilla/{certdata.txt,nssckbi.h}:
     Update Mozilla certificate authority bundle to version 2.6.
     Closes: #806239
     The following certificate authorities were added (+):
     + "CA WoSign ECC Root"
     + "Certification Authority of WoSign G2"
     + "Certinomis - Root CA"
     + "CFCA EV ROOT"
     + "COMODO RSA Certification Authority"
     + "Entrust Root Certification Authority - EC1"
     + "Entrust Root Certification Authority - G2"
     + "GlobalSign ECC Root CA - R4"
     + "GlobalSign ECC Root CA - R5"
     + "IdenTrust Commercial Root CA 1"
     + "IdenTrust Public Sector Root CA 1"
     + "OISTE WISeKey Global Root GB CA"
     + "S-TRUST Universal Root CA"
     + "Staat der Nederlanden EV Root CA"
     + "Staat der Nederlanden Root CA - G3"
     + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
     + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
     + "USERTrust ECC Certification Authority"
     + "USERTrust RSA Certification Authority"
     The following certificate authorities were removed (-):
     - "A-Trust-nQual-03"
     - "America Online Root Certification Authority 1"
     - "America Online Root Certification Authority 2"
     - "Buypass Class 3 CA 1"
     - "ComSign Secured CA"
     - "Digital Signature Trust Co. Global CA 1"
     - "Digital Signature Trust Co. Global CA 3"
     - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
     - "GTE CyberTrust Global Root"
     - "SG TRUST SERVICES RACINE"
     - "TC TrustCenter Class 2 CA II"
     - "TC TrustCenter Universal CA I"
     - "Thawte Premium Server CA"
     - "Thawte Server CA"
     - "TURKTRUST Certificate Services Provider Root 1"
     - "TURKTRUST Certificate Services Provider Root 2"
     - "UTN DATACorp SGC Root CA"
     - "Verisign Class 4 Public Primary Certification Authority - G3"
Checksums-Sha1:
 7ab91001176a4e35a979114fc561efb1c8189134 1433 ca-certificates_20141019+deb8u1.dsc
 416383cfb78e3838208bec97cfe3412b848091fb 295128 ca-certificates_20141019+deb8u1.tar.xz
 f34585d24e2739eab25a1ba956875fd34a4f3f93 203696 ca-certificates_20141019+deb8u1_all.deb
Checksums-Sha256:
 d1f91f7a31060dae8611347b31c1afca8f7afe600f4b7adefcb966d80f60368a 1433 ca-certificates_20141019+deb8u1.dsc
 2066818ba8214001053c8889f409d062826cb37971723e1067cb1a830df8b18a 295128 ca-certificates_20141019+deb8u1.tar.xz
 f58d646045855277c87f532ea5c18df319e91d9892437880c9a0169b834f1bd8 203696 ca-certificates_20141019+deb8u1_all.deb
Files:
 0a21d3918eb4a79cd28a081708e5edf6 1433 misc optional ca-certificates_20141019+deb8u1.dsc
 c928c90a76c27c54a1d795f7edfff4af 295128 misc optional ca-certificates_20141019+deb8u1.tar.xz
 780614ba53f17d20426684d90836b600 203696 misc optional ca-certificates_20141019+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJWiquzAAoJEFb2GnlAHawEaecIAIsplkvCO583HSOwaLS6TYUd
wEjbiqcApQRkDykpodJMY56iXRefPifgSnQ4x2/RJ0o27LlJQ8jBi0+vj/qrbdQK
b2BT/LMn3dfPvRyIgcgFk5UmIE8Ap9Y4Ei+WrU9gShWskpWUo8GAJcw3OJdOw9QL
WoElB94ay3Edz9/3fYOqZNpnfgGW1w5NdjPm5ectAwG0r3+R35m9dCppoPFVIShv
SnpoTWzeOBzBkBQnudtwPleqdN4yblxpA2K9HgR2wGJqhJEwqEflaIveWrivqAp6
lzC91WjKGsYr/NcW/+kQqKdp/0Zpoxv75ndC0R4+4ek2LdFQrHLVzdQLsZq75+o=
=m/en
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.