Debian Bug report logs - #962596
ca-certificates: Removal of GeoTrust Global CA requires investigation

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Philippe Normand <phil@base-art.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ca-certificates: Removal of GeoTrust Global CA requires investigation

Date: Wed, 10 Jun 2020 15:51:04 +0100

Package: ca-certificates
Version: 20200601
Severity: normal

Dear Maintainer,

Since the update of ca-certificates to version 20200601 I can no longer access
webkit.org websites.

$ gnutls-cli webkit.org
Processed 114 CA certificate(s).
Resolving 'webkit.org:443'...
Connecting to '54.190.50.171:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `C=US,ST=California,O=Apple
Inc.,OU=management:idms.group.764034,CN=www.webkit.org', issuer `C=US,O=Apple
Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1', serial
0x56bad882747e779b546f5fe1f1728a4b, RSA key 2048 bits, signed using RSA-SHA256,
activated `2019-03-14 16:13:54 UTC', expires `2021-04-12 16:13:54 UTC', pin-
sha256="wn1o7E4lMWKKBJYbeB8g/ZdNmeyrdOBvFA9yxI9H+Kk="
        Public Key ID:
                sha1:1020bd7159d9a3bb418ff02ee22f968359843074
sha256:c27d68ec4e2531628a04961b781f20fd974d99ecab74e06f140f72c48f47f8a9
        Public Key PIN:
                pin-sha256:wn1o7E4lMWKKBJYbeB8g/ZdNmeyrdOBvFA9yxI9H+Kk=

- Certificate[1] info:
 - subject `C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 -
G1', issuer `CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US', serial 0x023a74, RSA
key 2048 bits, signed using RSA-SHA256, activated `2014-06-16 15:42:02 UTC',
expires `2022-05-20 15:42:02 UTC', pin-
sha256="tc+C1H75gj+ap48SMYbFLoh56oSw+CLJHYPgQnm3j9U="
- Certificate[2] info:
 - subject `CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US', issuer `CN=GeoTrust
Global CA,O=GeoTrust Inc.,C=US', serial 0x023456, RSA key 2048 bits, signed
using RSA-SHA1 (broken!), activated `2002-05-21 04:00:00 UTC', expires
`2022-05-21 04:00:00 UTC', pin-
sha256="h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.



-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-2-amd64 (SMP w/24 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.74
ii  openssl                1.1.1g-1

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information:
* ca-certificates/enable_crts: extra/mitmproxy-ca-cert.crt, mozilla/ACCVRAIZ1.crt, mozilla/AC_RAIZ_FNMT-RCM.crt, mozilla/Actalis_Authentication_Root_CA.crt, mozilla/AffirmTrust_Commercial.crt, mozilla/AffirmTrust_Networking.crt, mozilla/AffirmTrust_Premium.crt, mozilla/AffirmTrust_Premium_ECC.crt, mozilla/Amazon_Root_CA_1.crt, mozilla/Amazon_Root_CA_2.crt, mozilla/Amazon_Root_CA_3.crt, mozilla/Amazon_Root_CA_4.crt, mozilla/Atos_TrustedRoot_2011.crt, mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt, mozilla/Baltimore_CyberTrust_Root.crt, mozilla/Buypass_Class_2_Root_CA.crt, mozilla/Buypass_Class_3_Root_CA.crt, mozilla/CA_Disig_Root_R2.crt, mozilla/Certigna.crt, mozilla/certSIGN_ROOT_CA.crt, mozilla/Certum_Trusted_Network_CA_2.crt, mozilla/Certum_Trusted_Network_CA.crt, mozilla/CFCA_EV_ROOT.crt, mozilla/Chambers_of_Commerce_Root_-_2008.crt, mozilla/Comodo_AAA_Services_root.crt, mozilla/COMODO_Certification_Authority.crt, mozilla/COMODO_ECC_Certification_Authority.crt, mozilla/COMODO_RSA_Certification_Authority.crt, mozilla/Cybertrust_Global_Root.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Assured_ID_Root_G2.crt, mozilla/DigiCert_Assured_ID_Root_G3.crt, mozilla/DigiCert_Global_Root_CA.crt, mozilla/DigiCert_Global_Root_G2.crt, mozilla/DigiCert_Global_Root_G3.crt, mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DigiCert_Trusted_Root_G4.crt, mozilla/DST_Root_CA_X3.crt, mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt, mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt, mozilla/EC-ACC.crt, mozilla/EE_Certification_Centre_Root_CA.crt, mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, mozilla/Entrust_Root_Certification_Authority.crt, mozilla/Entrust_Root_Certification_Authority_-_EC1.crt, mozilla/Entrust_Root_Certification_Authority_-_G2.crt, mozilla/ePKI_Root_Certification_Authority.crt, mozilla/E-Tugra_Certification_Authority.crt, mozilla/GDCA_TrustAUTH_R5_ROOT.crt, mozilla/GeoTrust_Universal_CA_2.crt, mozilla/Global_Chambersign_Root_-_2008.crt, mozilla/GlobalSign_ECC_Root_CA_-_R4.crt, mozilla/GlobalSign_ECC_Root_CA_-_R5.crt, mozilla/GlobalSign_Root_CA.crt, mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/GlobalSign_Root_CA_-_R3.crt, mozilla/GlobalSign_Root_CA_-_R6.crt, mozilla/Go_Daddy_Class_2_CA.crt, mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt, mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt, mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt, mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt, mozilla/Hongkong_Post_Root_CA_1.crt, mozilla/IdenTrust_Commercial_Root_CA_1.crt, mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt, mozilla/Izenpe.com.crt, mozilla/LuxTrust_Global_Root_2.crt, mozilla/Microsec_e-Szigno_Root_CA_2009.crt, mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt, mozilla/Network_Solutions_Certificate_Authority.crt, mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt, mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt, mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt, mozilla/QuoVadis_Root_CA_1_G3.crt, mozilla/QuoVadis_Root_CA_2.crt, mozilla/QuoVadis_Root_CA_2_G3.crt, mozilla/QuoVadis_Root_CA_3.crt, mozilla/QuoVadis_Root_CA_3_G3.crt, mozilla/QuoVadis_Root_CA.crt, mozilla/Secure_Global_CA.crt, mozilla/SecureSign_RootCA11.crt, mozilla/SecureTrust_CA.crt, mozilla/Security_Communication_RootCA2.crt, mozilla/Security_Communication_Root_CA.crt, mozilla/Sonera_Class_2_Root_CA.crt, mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt, mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt, mozilla/SSL.com_Root_Certification_Authority_ECC.crt, mozilla/SSL.com_Root_Certification_Authority_RSA.crt, mozilla/Staat_der_Nederlanden_EV_Root_CA.crt, mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt, mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt, mozilla/Starfield_Class_2_CA.crt, mozilla/Starfield_Root_Certificate_Authority_-_G2.crt, mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt, mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/SZAFIR_ROOT_CA2.crt, mozilla/Taiwan_GRCA.crt, mozilla/TeliaSonera_Root_CA_v1.crt, mozilla/TrustCor_ECA-1.crt, mozilla/TrustCor_RootCert_CA-1.crt, mozilla/TrustCor_RootCert_CA-2.crt, mozilla/Trustis_FPS_Root_CA.crt, mozilla/T-TeleSec_GlobalRoot_Class_2.crt, mozilla/T-TeleSec_GlobalRoot_Class_3.crt, mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt, mozilla/TWCA_Global_Root_CA.crt, mozilla/TWCA_Root_Certification_Authority.crt, mozilla/USERTrust_ECC_Certification_Authority.crt, mozilla/USERTrust_RSA_Certification_Authority.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, mozilla/XRamp_Global_CA_Root.crt
  ca-certificates/title:
* ca-certificates/trust_new_crts: yes
  ca-certificates/new_crts:

Message #10 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Carlos Alberto Lopez Perez <clopez@igalia.com>

To: 962596@bugs.debian.org

Subject: Re: ca-certificates: Removal of GeoTrust Global CA requires investigation

Date: Wed, 10 Jun 2020 22:27:32 +0200

[Message part 1 (text/plain, inline)]

On 10/06/2020 16:51, Philippe Normand wrote:
> Package: ca-certificates
> Version: 20200601
> Severity: normal
> 
> Dear Maintainer,
> 
> Since the update of ca-certificates to version 20200601 I can no longer access
> webkit.org websites.
> 


The removed CA (GeoTrust Global CA) is used to sign the Apple
intermediate certificate "Apple IST CA 2 - G1".

Firefox and Chrome have some sort of hack (likely a whitelist)
specifically to trust this Apple's intermediate CAs:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec

So the website still works in Firefox and Chrome on Debian, even with
GeoTrust removed. But it doesn't work with GnuTLS (or the Epiphany web
browser).

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Nick Digalakis <ntd@3cx.com>

To: 962596@bugs.debian.org

Subject: ca-certificates: Removal of GeoTrust Global CA requires investigation

Date: Thu, 11 Jun 2020 12:56:22 +0300

[Message part 1 (text/plain, inline)]

 Dear Maintainer,

To add, this root CA is also used in Apple's APNS (Push) endpoints.
With the update, systems are not able to connect anymore to this
service to deliver notifications to iOS and macOS devices.

Regards,
Team 3CX


-- 


Regards,

Nick Digalakis
Quality Assurance & Community Manager
Phone:+1 813-591-0141
*www.3CX.com <http://www.3cx.com/>*
<https://www.facebook.com/3CX> <https://www.facebook.com/3CX>
<https://twitter.com/3CX> <https://twitter.com/3CX>
<https://twitter.com/3CX> <https://www.linkedin.com/company/3cx>
<https://www.linkedin.com/company/3cx>
<https://www.linkedin.com/company/3cx>

[Message part 2 (text/html, inline)]

Message #22 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: Carlos Alberto Lopez Perez <clopez@igalia.com>, 962596@bugs.debian.org

Cc: Philippe Normand <phil@base-art.net>, Carlos Alberto Lopez Perez <clopez@igalia.com>, Nick Digalakis <ntd@3cx.com>, Michael Borg <mb@3cx.com>, Adrian Bunk <bunk@debian.org>, jcristau@debian.org

Subject: Re: Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation

Date: Thu, 11 Jun 2020 08:22:20 -0500

Control: severity -1 important

(cc'ed bug reporters and those on a direct email to ack)

On 6/10/20 3:27 PM, Carlos Alberto Lopez Perez wrote:
> On 10/06/2020 16:51, Philippe Normand wrote:
>> Since the update of ca-certificates to version 20200601 I can no longer access
>> webkit.org websites.
> 
> The removed CA (GeoTrust Global CA) is used to sign the Apple
> intermediate certificate "Apple IST CA 2 - G1".
> 
> Firefox and Chrome have some sort of hack (likely a whitelist)
> specifically to trust this Apple's intermediate CAs:
> https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec
> 
> So the website still works in Firefox and Chrome on Debian, even with
> GeoTrust removed. But it doesn't work with GnuTLS (or the Epiphany web
> browser).

Thanks for the bug report. I will work on reverting the blacklist commit 
and get with the release team when that is completed.

Kind regards,
Michael

Message #29 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Michael Borg <mb@3cx.com>

To: Michael Shuler <michael@pbandjelly.org>

Cc: Carlos Alberto Lopez Perez <clopez@igalia.com>, 962596@bugs.debian.org, Philippe Normand <phil@base-art.net>, Nick Digalakis <ntd@3cx.com>, Adrian Bunk <bunk@debian.org>, jcristau@debian.org

Subject: Re: Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation

Date: Thu, 11 Jun 2020 16:30:13 +0300

[Message part 1 (text/plain, inline)]

Will this happen today? Cause I have many users with such problems!


Regards,

Michael Borg
Michael Borg
Product Director
Phone: +357 22 444 032
*www.3CX.com* <http://www.3cx.com/>
<https://www.facebook.com/3CX> <https://twitter.com/3CX>
<https://www.linkedin.com/company/3cx>



On Thu, Jun 11, 2020 at 4:22 PM Michael Shuler <michael@pbandjelly.org>
wrote:

> Control: severity -1 important
>
> (cc'ed bug reporters and those on a direct email to ack)
>
> On 6/10/20 3:27 PM, Carlos Alberto Lopez Perez wrote:
> > On 10/06/2020 16:51, Philippe Normand wrote:
> >> Since the update of ca-certificates to version 20200601 I can no longer
> access
> >> webkit.org websites.
> >
> > The removed CA (GeoTrust Global CA) is used to sign the Apple
> > intermediate certificate "Apple IST CA 2 - G1".
> >
> > Firefox and Chrome have some sort of hack (likely a whitelist)
> > specifically to trust this Apple's intermediate CAs:
> > https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec
> >
> > So the website still works in Firefox and Chrome on Debian, even with
> > GeoTrust removed. But it doesn't work with GnuTLS (or the Epiphany web
> > browser).
>
> Thanks for the bug report. I will work on reverting the blacklist commit
> and get with the release team when that is completed.
>
> Kind regards,
> Michael
>

[Message part 2 (text/html, inline)]

Message #34 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Michael Shuler <michael@pbandjelly.org>

To: Michael Borg <mb@3cx.com>

Cc: Carlos Alberto Lopez Perez <clopez@igalia.com>, 962596@bugs.debian.org, Philippe Normand <phil@base-art.net>, Nick Digalakis <ntd@3cx.com>, Adrian Bunk <bunk@debian.org>, jcristau@debian.org

Subject: Re: Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation

Date: Thu, 11 Jun 2020 10:50:21 -0500

Control: severity -1 serious
Control: tags -1 + pending
Control: tags 942915 + pending

Bump severity. Pending branch commits:

master: commit 679daf6e9bf6fcdcb574b8029297d24836fafde0
  Revert "Set release 20200601; add Symantec CAs to blacklist"
  This reverts commit 1efe81a680eedb94111716c8825290a0cde509af.

debian-buster: commit 442fd47f4831483b72329e0df1f6260e4a91ab36
  Merge branch 'master' into debian-buster

debian-stretch: commit c151326dda72f703f7001f655e331b548eb1e411
  Merge branch 'debian-buster' into debian-stretch

Kind regards,
Michael

Message #43 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Carlos Alberto Lopez Perez <clopez@igalia.com>

To: Michael Borg <mb@3cx.com>, Philippe Normand <phil@base-art.net>

Cc: Julien Cristau <jcristau@debian.org>, Michael Shuler <michael@pbandjelly.org>, Adrian Bunk <bunk@debian.org>, 962596@bugs.debian.org

Subject: Re: Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation

Date: Thu, 11 Jun 2020 18:59:03 +0200

[Message part 1 (text/plain, inline)]

On 11/06/2020 18:34, Michael Borg wrote:
> Yep I know but I cannot tell all my customers to run this workaround, some
> of our users are not experienced at all.... The only thing I see here is
> that I need to provide a hotfix ourselves. We cannot wait for days... You
> are saying we cannot make an exception and push this fix ASAP?

Pushing packages to Debian takes time. If you need something for today you need to fix it yourself.

You can downgrade to the old version of the package ca-certificates or install the missed certificate manually

This recipe allows to do that:

wget --no-check-certificate -c https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem   \
    && mkdir /usr/local/share/ca-certificates/extra                                                                       \
    && mv GeoTrust_Global_CA.pem /usr/local/share/ca-certificates/extra/GeoTrust_Global_CA.crt                            \
    && update-ca-certificates

And when you upgrade to the fixed version of ca-certificates you can remove the directory /usr/local/share/ca-certificates/extra 
and run the command update-ca-certificates again.

[signature.asc (application/pgp-signature, attachment)]

Message #52 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Michael Catanzaro <mcatanzaro@gnome.org>

To: 962596@bugs.debian.org

Date: Wed, 17 Jun 2020 08:15:27 -0500

Hi,

I asked Fedora's ca-certificates maintainer to comment on this. I 
didn't fully understand his reply, but he says this was some sort of 
mistake in Debian's package and not an upstream problem: 
https://bugzilla.redhat.com/show_bug.cgi?id=1845988#c3

"""
So mozilla lists relevent changes between NSS processing and the raw 
cert trust database here: 
https://wiki.mozilla.org/CA/Additional_Trust_Changes . NSS was indeed 
whitelisting accepted intermediates, but it also didn't explicitly 
removed the target CA's from the trust list. It now uses 
CKA_NSS_SERVER_DISTRUST_AFTER to handle how it distrusts the given CA's.

I've verified that the cert has not been removed from the current trust 
list, but CKA_NSS_SERVER_DISTRUST_AFTER has been set in the latest 
version. This means if the certs issued from this CA was issued after 
the specified date, then the trust would be distrusted, otherwise it 
will continue to be trusted.

I suspect Debian took out the certs from the trust store altogether, 
rather than process the list straight from mozilla.

Upshot: if you process CKA_NSS_SERVER_DISTRUST_AFTER, then you will get 
safer behavior, otherwise the ca's are still trusted in the latest list.
"""

I suspect you have more broken certificates that need to be restored 
than just GeoTrust.

Furthermore, last time we had a major Debian-specific certificate 
verification issue, we discovered that Debian is not actually capable 
of restoring previously-removed certificates without manual user 
intervention, see 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339. That means 
that even once these certificates are restored, users who have already 
updated to the affected version of ca-certificates will suffer 
permanently broken certificate verification unless they have found this 
bug report and know to take manual intervention, because the 
certificates will remain disabled locally.

Michael

Message #57 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Kim-Alexander Brodowski <kim.brodowski@iserv.eu>

To: 962596@bugs.debian.org

Subject: RE: ca-certificates: Removal of GeoTrust Global CA requires investigation

Date: Thu, 18 Jun 2020 10:54:22 +0200

Hello,

instead of re-enabling the GeoTrust root wouldn't it be much simpler to 
include the CA certificates outlined in 
https://wiki.mozilla.org/CA/Additional_Trust_Changes under Symantec 
instead? This would also render other non-trustworthy certificates from 
GeoTrust useless.

In the meantime we've pinned the root CA of Apple's offending endpoints, 
which is what their developer documentation suggests. I just fear that 
they might decide tomorrow that they want to change certificates after 
all. I'm not entirely convinced they'll serve multiple certificates for 
a transition period.

Kind regards.

On Wed, 17 Jun 2020 08:15:27 -0500 Michael Catanzaro 
<mcatanzaro@gnome.org> wrote:

> Hi,
>
> I asked Fedora's ca-certificates maintainer to comment on this. I
> didn't fully understand his reply, but he says this was some sort of
> mistake in Debian's package and not an upstream problem:
> https://bugzilla.redhat.com/show_bug.cgi?id=1845988#c3
>
> """
> So mozilla lists relevent changes between NSS processing and the raw
> cert trust database here:
> https://wiki.mozilla.org/CA/Additional_Trust_Changes . NSS was indeed
> whitelisting accepted intermediates, but it also didn't explicitly
> removed the target CA's from the trust list. It now uses
> CKA_NSS_SERVER_DISTRUST_AFTER to handle how it distrusts the given CA's.
>
> I've verified that the cert has not been removed from the current trust
> list, but CKA_NSS_SERVER_DISTRUST_AFTER has been set in the latest
> version. This means if the certs issued from this CA was issued after
> the specified date, then the trust would be distrusted, otherwise it
> will continue to be trusted.
>
> I suspect Debian took out the certs from the trust store altogether,
> rather than process the list straight from mozilla.
>
> Upshot: if you process CKA_NSS_SERVER_DISTRUST_AFTER, then you will get
> safer behavior, otherwise the ca's are still trusted in the latest list.
> """
>
> I suspect you have more broken certificates that need to be restored
> than just GeoTrust.
>
> Furthermore, last time we had a major Debian-specific certificate
> verification issue, we discovered that Debian is not actually capable
> of restoring previously-removed certificates without manual user
> intervention, see
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339. That means
> that even once these certificates are restored, users who have already
> updated to the affected version of ca-certificates will suffer
> permanently broken certificate verification unless they have found this
> bug report and know to take manual intervention, because the
> certificates will remain disabled locally.
>
> Michael
>
>
>
>

-- 
Mit freundlichen Grüßen
Kim-Alexander Brodowski

IServ GmbH
Entwicklung
Bültenweg 73
38106 Braunschweig

Telefon:   +49 531 22 43 666-0
Mobil:     +49 152 55 17 55 16
Fax:       +49 531 22 43 666-9
E-Mail:    Kim.Brodowski@iserv.eu
Internet:  https://iserv.eu

USt-IdNr. DE265149425 | Amtsgericht Braunschweig | HRB 201822
Geschäftsführer: Benjamin Heindl, Martin Hüppe, Jörg Ludwig
Grundsätze zum Datenschutz: https://iserv.eu/privacy

Message #62 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Michael Catanzaro <mcatanzaro@gnome.org>

To: 962596@bugs.debian.org

Date: Wed, 01 Jul 2020 16:31:24 -0500

It doesn't make sense for Debian to remove certificates that are still 
distributed by Mozilla and required in practice. Including intermediate 
CAs won't be necessary once this is fixed. (That is, assuming you fix 
upgraded systems somehow. In the meantime, everyone who upgrades 
ca-certificates to the broken version will be permanently broken due to 
the aforementioned Debian-specific update-ca-certificates bug.)

Message #67 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 962596@bugs.debian.org

Subject: RE: ca-certificates: Removal of GeoTrust Global CA requires investigation

Date: Wed, 15 Jul 2020 14:48:20 +0200

Hi,

Thanks for maintaining ca-certificates.

I just wanted to let you know that a number of customers of $work are
affected by this, and we would very much welcome a return of the
GeoTrust Global CA.

It'd be nice if the uploaders of the ca-certificates could state what
they intend to do, so we could take the appropriate measure locally.

Cheers,

Thomas Goirand (zigo)

Message #72 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Michael Prokop <mika@debian.org>

To: Thomas Goirand <zigo@debian.org>, 962596@bugs.debian.org

Subject: Re: Bug#962596: ca-certificates: Removal of GeoTrust Global CA requires investigation

Date: Wed, 5 Aug 2020 14:09:32 +0200

[Message part 1 (text/plain, inline)]

* Thomas Goirand [Wed Jul 15, 2020 at 02:48:20PM +0200]:

> Thanks for maintaining ca-certificates.

> I just wanted to let you know that a number of customers of $work are
> affected by this, and we would very much welcome a return of the
> GeoTrust Global CA.

> It'd be nice if the uploaders of the ca-certificates could state what
> they intend to do, so we could take the appropriate measure locally.

Is there any news or timeline, or is there something we could help
with to get this sorted out, Michael (Shuler)?

regards
-mika-

[signature.asc (application/pgp-signature, inline)]

Message #77 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Michael Holloway <mholloway@wikimedia.org>

To: 962596@bugs.debian.org

Subject: ca-certificates: Removal of GeoTrust Global CA requires investigation

Date: Thu, 10 Sep 2020 10:43:55 -0400

[Message part 1 (text/plain, inline)]

Happy three-month bug birthday!  Any news?

Thanks,
Michael

[Message part 2 (text/html, inline)]

Message #82 received at 962596@bugs.debian.org (full text, mbox, reply):

From: "mkarbas@mpi-inf.mpg.de" <mkarbas@mpi-inf.mpg.de>

To: 962596@bugs.debian.org

Subject: Any updates?

Date: Thu, 1 Oct 2020 23:47:27 +0330

Hey all,

Is there a timeline on this? Still present in 20200601~deb10u1.

Cheers,
Amin

Message #87 received at 962596-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 962596-close@bugs.debian.org

Subject: Bug#962596: fixed in ca-certificates 20210119

Date: Tue, 19 Jan 2021 10:48:29 +0000

Source: ca-certificates
Source-Version: 20210119
Done: Julien Cristau <jcristau@debian.org>

We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 962596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated ca-certificates package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 19 Jan 2021 11:11:04 +0100
Source: ca-certificates
Architecture: source
Version: 20210119
Distribution: unstable
Urgency: medium
Maintainer: Julien Cristau <jcristau@debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Closes: 942915 962079 962596 976406
Changes:
 ca-certificates (20210119) unstable; urgency=medium
 .
   [ Julien Cristau ]
   * New maintainer (closes: #976406)
   * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
     bundle to version 2.46.
     The following certificate authorities were added (+):
     + "certSIGN ROOT CA G2"
     + "e-Szigno Root CA 2017"
     + "Microsoft ECC Root Certificate Authority 2017"
     + "Microsoft RSA Root Certificate Authority 2017"
     + "NAVER Global Root Certification Authority"
     + "Trustwave Global Certification Authority"
     + "Trustwave Global ECC P256 Certification Authority"
     + "Trustwave Global ECC P384 Certification Authority"
     The following certificate authorities were removed (-):
     - "EE Certification Centre Root CA"
     - "GeoTrust Universal CA 2"
     - "LuxTrust Global Root 2"
     - "OISTE WISeKey Global Root GA CA"
     - "Staat der Nederlanden Root CA - G2" (closes: #962079)
     - "Taiwan GRCA"
     - "Verisign Class 3 Public Primary Certification Authority - G3"
 .
   [ Michael Shuler ]
   * mozilla/blacklist:
     Revert Symantec CA blacklist (#911289). Closes: #962596
     The following root certificates were added back (+):
     + "GeoTrust Primary Certification Authority - G2"
     + "VeriSign Universal Root Certification Authority"
 .
   [ Gianfranco Costamagna ]
   * debian/{rules,control}:
     Merge Ubuntu patch from Matthias Klose to use Python3 during build.
     Closes: #942915
Checksums-Sha1:
 49e22e00ef8c048e6380f9470d43dc6325679306 1868 ca-certificates_20210119.dsc
 c9875aa16e42981c6975e59a11727539053e2299 232964 ca-certificates_20210119.tar.xz
Checksums-Sha256:
 51e5c099ab976f50f4d2f3c5ea0ad49853024cdb3e630322cbd7e02b05a034f4 1868 ca-certificates_20210119.dsc
 daa3afae563711c30a0586ddae4336e8e3974c2b627faaca404c4e0141b64665 232964 ca-certificates_20210119.tar.xz
Files:
 0fc9d8d512961e7e9d5eab6d463555d8 1868 misc optional ca-certificates_20210119.dsc
 c02582bf9ae338e558617291897615eb 232964 misc optional ca-certificates_20210119.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAmAGtYgUHGpjcmlzdGF1
QGRlYmlhbi5vcmcACgkQnbAjVVb4z60ZxQ/+PtmmKdJcCwNl4/NPl5rXmWqZxO5T
/inuWWshhlO6wk1xYf4eWERbjsVFTp9mLG1qJoGfRUlJIdpp/fKuX4SBf+4oGsf9
0FdL8xYXC/s0Y8yHPj7YXQXNn3c76HzV+em9Ld0/S43ZRRrbDGzDEi8nEdpklCfu
Z2NuudOuK6JHvYr5tu7DeLmp6HXKnbemWq5J02YcIRzxgVZI0y4CETMAt5yhDgXR
0LbsVsSSNTFAjy+nfqIeZH3TtTdNCyEBJj64p1hVSafUD2luciSUYj1imEe3+dej
THqhoO7AmAI6yBGO61qdkRuiD1XqVevZ+hsviYXGT0Z4bwoz2rrKc5vyrlcAX7Pc
X5+sra56cHz2PaGZoosbDgRoyAKb+Nm9d/h/g9drSrNh2614CpqX0x2gQnxP0cws
YPgDrP0QgLad3QIhhT/gJFfPES865kP+2YJ/mesU8/xZXtt2hiNTcBKgJy5xHxsV
EEViSOyHNrIIkC+YC/qzDAXpCQG3lf3iKPJC9C+Tu8e/7/uMJkR9ky8unz3poMf+
LlcvW3YFj7egNyi5jDFeuYbUwWuyD1Y9wthUmWoL6jJNSkwEZUXJh0g7M6CywBp0
feiChpD90H3mi5WwPaJq/fyFMoQsAQzClh0xkak/AE6zsxwzbL4UImwo3UsO5sBv
lnA05I/Tz11jQag=
=qj/c
-----END PGP SIGNATURE-----

Message #88 received at 962596-close@bugs.debian.org (full text, mbox, reply):

From: "Michael Simons (.NET)" <Michael.Simons@microsoft.com>

To: "962596-close@bugs.debian.org" <962596-close@bugs.debian.org>

Subject: ETA on a fixed being released in stable?

Date: Wed, 27 Jan 2021 19:31:35 +0000

[Message part 1 (text/plain, inline)]

I see this was recently released to testing, is there an eta on when it will be available in stable, (e.g. buster)?

Thanks

[Message part 2 (text/html, inline)]

Message #93 received at 962596@bugs.debian.org (full text, mbox, reply):

From: "Michael Simons (.NET)" <Michael.Simons@microsoft.com>

To: "962596@bugs.debian.org" <962596@bugs.debian.org>

Subject: RE: ETA on a fixed being released in stable?

Date: Wed, 27 Jan 2021 19:33:02 +0000

[Message part 1 (text/plain, inline)]

I see this was recently released to testing, is there an eta on when it will be available in stable, (e.g. buster)?

Thanks

[Message part 2 (text/html, inline)]

Message #98 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Svetlana Kofman <skofman@microsoft.com>, "Michael Simons (.NET)" <Michael.Simons@microsoft.com>, 962596@bugs.debian.org

Cc: Rob Relyea <Rob.Relyea@microsoft.com>, Damon Tivel <dtivel@microsoft.com>, Matt Thalman <Matt.Thalman@microsoft.com>

Subject: Re: NuGet incident on Debian Buster

Date: Thu, 28 Jan 2021 15:17:34 +0100

Hi,

I'm not sure why this is blowing up again this week when things have
been in a bit of a limbo state since June last year, but in any case
I've just pushed a change to buster to try and revert the blacklisting
of legacy Symantec CAs.  That should hopefully make it to the archive in
the next few days.

Cheers,
Julien

On Wed, Jan 27, 2021 at 06:22:00PM +0000, Svetlana Kofman wrote:
> Hi Julien,
> 
> We are reaching out to you since you worked on issue #962596.
> 
> Some background:
> 
> NuGet packages that are being restored on Debian Buster are failing package
> validation. This is caused by an expired cert which causes us to check the time
> signature. The time signature is deemed invalid due to this recent Debian
> change.
> 
>  
> 
> Broken by: Caused by Debian change #911289 - ca-certificates should remove
> Symantec certs - Debian Bug report logs
> 
> Later fixed by Debian: #962596 - ca-certificates: Removal of GeoTrust Global CA
> requires investigation - Debian Bug report logs … but not released yet.
> 
>  
> 
> NuGet issue is Tracked in this public issue:
> 
> Package validation broken in docker builds with errors NU3028 and NU3037 ·
> Issue #10491 · NuGet/Home (github.com)
> 
>  
> 
> We are looking into helping customers mitigate the issue, and one of the
> options is to obtain the latest ca-certificates package with the fix.
> 
> We see the fix is available in sid and bullseye, are there plans to back port
> the fix to buster? If so what is the timeline?
> 
>  
> 
> Thanks,
> 
> Svetlana
> 
> NuGet Team
> 
>  
> 

On Wed, Jan 27, 2021 at 07:33:02PM +0000, Michael Simons (.NET) wrote:
> I see this was recently released to testing, is there an eta on when it will be
> available in stable, (e.g. buster)?
> 
>  
> 
> Thanks
> 

Message #103 received at 962596-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 962596-close@bugs.debian.org

Subject: Bug#962596: fixed in ca-certificates 20200601~deb10u2

Date: Thu, 28 Jan 2021 16:17:07 +0000

Source: ca-certificates
Source-Version: 20200601~deb10u2
Done: Julien Cristau <jcristau@debian.org>

We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 962596@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated ca-certificates package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Jan 2021 13:01:43 +0100
Source: ca-certificates
Architecture: source
Version: 20200601~deb10u2
Distribution: buster
Urgency: medium
Maintainer: Julien Cristau <jcristau@debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Closes: 962596 968002
Changes:
 ca-certificates (20200601~deb10u2) buster; urgency=medium
 .
   [ Julien Cristau ]
   * New maintainer (see #976406)
 .
   [ Michael Shuler ]
   * mozilla/blacklist:
     Revert Symantec CA blacklist (#911289). Closes: #962596, #968002.
     The following root certificates were added back (+):
     + "GeoTrust Global CA"
     + "GeoTrust Primary Certification Authority"
     + "GeoTrust Primary Certification Authority - G2"
     + "GeoTrust Primary Certification Authority - G3"
     + "GeoTrust Universal CA"
     + "thawte Primary Root CA"
     + "thawte Primary Root CA - G2"
     + "thawte Primary Root CA - G3"
     + "VeriSign Class 3 Public Primary Certification Authority - G4"
     + "VeriSign Class 3 Public Primary Certification Authority - G5"
     + "VeriSign Universal Root Certification Authority"
 .
   Note: due to bug #743339, CA certificates added back in this version
   won't automatically be trusted again on upgrade.  Affected users may
   need to reconfigure the package to restore the desired state.
Checksums-Sha1:
 e9b49bb650b83b4ec6e51bbebdbd21eeeac1c678 1907 ca-certificates_20200601~deb10u2.dsc
 6835c04ff1238e63ca05f3966f7c60fa215efe36 245804 ca-certificates_20200601~deb10u2.tar.xz
Checksums-Sha256:
 b89cbd8c235e131ee10cb85a9bd4b3e429874c1e0577c5ed35121f8590d4d029 1907 ca-certificates_20200601~deb10u2.dsc
 13ffd04d36230309ff383ad4ccbefb1852b1483f0ac3da75b4979906933ba5e8 245804 ca-certificates_20200601~deb10u2.tar.xz
Files:
 aa78b8e34193eb326ba9e80b75b9611a 1907 misc optional ca-certificates_20200601~deb10u2.dsc
 3429d27944a83aeed05219eecbb59e51 245804 misc optional ca-certificates_20200601~deb10u2.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAmASxjMUHGpjcmlzdGF1
QGRlYmlhbi5vcmcACgkQnbAjVVb4z60/8w//fhhts0MwF8mxtoUFrJxtsm/3904m
MbXlfiYdMaIQCavlr/W2KqunGpg0KDyk+fLVAfRChpsDk7a2LVW2CS8VlxkEOuKy
mms2r1JDl49TiXf2Kyj1oNbvEINchT8eld2bYNQP4BX2F8Ew0QJVNXLzgyz9RYBJ
wO0aW8yTe6+agWHmjCDkw+wdO8B600/Q1YpUNjIvPImvFaAzd3sjWv9aczf6FFty
HBB2Of+teMP8vPi38/TsvgP3zvtVdgK77Vzzdqfh+xox025LFKwL40326xhBRy/+
FNRTOKRYX6kxrAFDwxjujDXpsSIcI984U7QKbJlHhH6NbY0nEkmDn7avzFyoSRqK
mTbxJ6P6NWv+icWGcqZZ5ZMP5bBgGA/iJ1fQ1PZxqCed7ae/PXzZIhHSjRwPTWc/
FIRiPpXBeJwsHlEQHMN0XkowqybS2ekYKpyT+LlYwPhTpyogdFASt3Q58MUebE8D
6TVVUNpTEJ7sSO72IeN1j9gPpaqZxEgYCNPWCU0Ec5KiFZj89H4BHU1d9oGAPb0i
7ya0tVT+ayzhMhFYa2bqMUdp3YJ3X8SPretTykKjF7OnMi5x7Bbn0IbSUJeq+E/8
KFRMk1PqQM3bOPv0Q38PVy3JQ5CrZTU/rZkxYymPTlZAV43vsm+NuqXryEoQsspZ
4MFoOltddq2Vfbo=
=F5f1
-----END PGP SIGNATURE-----

Message #108 received at 962596@bugs.debian.org (full text, mbox, reply):

From: "Michael Simons (.NET)" <Michael.Simons@microsoft.com>

To: "962596@bugs.debian.org" <962596@bugs.debian.org>

Subject: Backport to stretch?

Date: Mon, 1 Feb 2021 15:14:38 +0000

[Message part 1 (text/plain, inline)]

Hi Julien,



Thanks for pushing the changes to buster.  Will this get backported to stretch as well?  If so, what is the timeframe users can expect?



> I'm not sure why this is blowing up again this week



See https://github.com/NuGet/Announcements/issues/49 for details on how this affected .NET users building on Debian.

Thanks

Michael


On Thu, 28 Jan 2021 15:17:34 +0100 "Julien Cristau" <jcristau@debian.org> wrote:
> Hi,

>

> I'm not sure why this is blowing up again this week when things have

> been in a bit of a limbo state since June last year, but in any case

> I've just pushed a change to buster to try and revert the blacklisting

> of legacy Symantec CAs.  That should hopefully make it to the archive in

> the next few days.

>

> Cheers,

> Julien

[Message part 2 (text/html, inline)]

Message #113 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: "Michael Simons (.NET)" <Michael.Simons@microsoft.com>, 962596@bugs.debian.org

Cc: debian-lts@lists.debian.org

Subject: Re: Bug#962596: Backport to stretch?

Date: Mon, 1 Feb 2021 17:18:16 +0100

Hi Michael,

stretch is EOL, so I am not planning on touching it myself.

Cc:ing the team that looks after stretch-lts in case they want to handle
this.

Cheers,
Julien

On Mon, Feb 01, 2021 at 03:14:38PM +0000, Michael Simons (.NET) wrote:
> Hi Julien,
> 
>  
> 
> Thanks for pushing the changes to buster.  Will this get backported to stretch
> as well?  If so, what is the timeframe users can expect?
> 
>  
> 
> > I'm not sure why this is blowing up again this week
> 
>  
> 
> See https://github.com/NuGet/Announcements/issues/49 for details on how this
> affected .NET users building on Debian.
> 
> Thanks
> 
> Michael
> 
> 
> On Thu, 28 Jan 2021 15:17:34 +0100 “Julien Cristau" <jcristau@debian.org>
> wrote:
> > Hi,
> 
> > 
> 
> > I'm not sure why this is blowing up again this week when things have
> 
> > been in a bit of a limbo state since June last year, but in any case
> 
> > I've just pushed a change to buster to try and revert the blacklisting
> 
> > of legacy Symantec CAs.  That should hopefully make it to the archive in
> 
> > the next few days.
> 
> > 
> 
> > Cheers,
> 
> > Julien
> 

Message #118 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Julien Cristau <jcristau@debian.org>

Cc: "Michael Simons (.NET)" <Michael.Simons@microsoft.com>, 962596@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#962596: Backport to stretch?

Date: Tue, 2 Feb 2021 17:09:33 +0530

Hi,

On Mon, Feb 1, 2021 at 9:48 PM Julien Cristau <jcristau@debian.org> wrote:
> stretch is EOL, so I am not planning on touching it myself.
> Cc:ing the team that looks after stretch-lts in case they want to handle
> this.

Thanks, I'll start to take a look at it.
IIUC, this commit[1] needs a backport to stretch, correct?

[1]: https://salsa.debian.org/debian/ca-certificates/-/commit/62a6fc666ddc27baa0150e2b210814ecf1fc587e


- u

Message #123 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: 962596@bugs.debian.org

Cc: "Michael Simons (.NET)" <Michael.Simons@microsoft.com>, Julien Cristau <jcristau@debian.org>, Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#962596: Backport to stretch?

Date: Fri, 5 Feb 2021 15:08:50 +0530

Hello,

On Tue, Feb 2, 2021 at 5:09 PM Utkarsh Gupta <utkarsh@debian.org> wrote:
> On Mon, Feb 1, 2021 at 9:48 PM Julien Cristau <jcristau@debian.org> wrote:
> > stretch is EOL, so I am not planning on touching it myself.
> > Cc:ing the team that looks after stretch-lts in case they want to handle
> > this.
>
> Thanks, I'll start to take a look at it.
> IIUC, this commit[1] needs a backport to stretch, correct?
>
> [1]: https://salsa.debian.org/debian/ca-certificates/-/commit/62a6fc666ddc27baa0150e2b210814ecf1fc587e

Just a slight ping on this since I haven't really heard back.
I'll be happy to backport this and prepare an update for stretch once
somebody gives me an ack on the above mail.


- u

Message #128 received at 962596@bugs.debian.org (full text, mbox, reply):

From: "Michael Simons (.NET)" <Michael.Simons@microsoft.com>

To: "962596@bugs.debian.org" <962596@bugs.debian.org>

Subject: Re: Bug#962596: Backport to stretch?

Date: Fri, 5 Feb 2021 16:03:16 +0000

[Message part 1 (text/plain, inline)]

Yes

On Tue, 2 Feb 2021 17:09:33 +0530 Utkarsh Gupta <utkarsh@debian.org> wrote:
> Hi,
>
> On Mon, Feb 1, 2021 at 9:48 PM Julien Cristau <jcristau@debian.org> wrote:
> > stretch is EOL, so I am not planning on touching it myself.
> > Cc:ing the team that looks after stretch-lts in case they want to handle
> > this.
>
> Thanks, I'll start to take a look at it.
> IIUC, this commit[1] needs a backport to stretch, correct?
>
> [1]: https://salsa.debian.org/debian/ca-certificates/-/commit/62a6fc666ddc27baa0150e2b210814ecf1fc587e
>
>
> - u
>
>

[Message part 2 (text/html, inline)]

Message #137 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@debian.org>

To: Michael Shuler <michael@pbandjelly.org>, 962596@bugs.debian.org

Subject: Divergence in Symantec CA blacklist reverting between sid and *stable?

Date: Sat, 13 Mar 2021 20:32:32 +0000 (UTC)

Hi,

the changelogs seem to differ in re-added certificates:

 ca-certificates (20210119) unstable; urgency=medium

   [ Michael Shuler ]
   * mozilla/blacklist:
     Revert Symantec CA blacklist (#911289). Closes: #962596
     The following root certificates were added back (+):
     + "GeoTrust Primary Certification Authority - G2"
     + "VeriSign Universal Root Certification Authority"

 ca-certificates (20200601~deb10u2) buster; urgency=medium

   [ Michael Shuler ]
   * mozilla/blacklist:
     Revert Symantec CA blacklist (#911289). Closes: #962596, #968002.
     The following root certificates were added back (+):
     + "GeoTrust Global CA"
     + "GeoTrust Primary Certification Authority"
     + "GeoTrust Primary Certification Authority - G2"
     + "GeoTrust Primary Certification Authority - G3"
     + "GeoTrust Universal CA"
     + "thawte Primary Root CA"
     + "thawte Primary Root CA - G2"
     + "thawte Primary Root CA - G3"
     + "VeriSign Class 3 Public Primary Certification Authority - G4"
     + "VeriSign Class 3 Public Primary Certification Authority - G5"
     + "VeriSign Universal Root Certification Authority"

 ca-certificates (20200601~deb9u2) stretch-security; urgency=high

   * mozilla/blacklist:
     Revert Symantec CA blacklist (#911289). Closes: #962596
     The following root certificates were added back (+):
     + "GeoTrust Global CA"
     + "GeoTrust Primary Certification Authority"
     + "GeoTrust Primary Certification Authority - G2"
     + "GeoTrust Primary Certification Authority - G3"
     + "GeoTrust Universal CA"
     + "thawte Primary Root CA"
     + "thawte Primary Root CA - G2"
     + "thawte Primary Root CA - G3"
     + "VeriSign Class 3 Public Primary Certification Authority - G4"
     + "VeriSign Class 3 Public Primary Certification Authority - G5"
     + "VeriSign Universal Root Certification Authority"

So, which is correct?

Thanks in advance,
//mirabilos
-- 
<ch> you introduced a merge commit        │<mika> % g rebase -i HEAD^^
<mika> sorry, no idea and rebasing just fscked │<mika> Segmentation
<ch> should have cloned into a clean repo      │  fault (core dumped)
<ch> if I rebase that now, it's really ugh     │<mika:#grml> wuahhhhhh

Message #142 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Damon Tivel <dtivel@microsoft.com>

To: Utkarsh Gupta <utkarsh@debian.org>, "Michael Simons (.NET)" <Michael.Simons@microsoft.com>

Cc: "debian-lts@lists.debian.org" <debian-lts@lists.debian.org>, "962596@bugs.debian.org" <962596@bugs.debian.org>, Jon Douglas <jodou@microsoft.com>

Subject: RE: [EXTERNAL] Re: Bug#962596: Backport to stretch?

Date: Mon, 15 Mar 2021 12:58:46 +0000

Thanks so much, Utkarsh!

Damon

-----Original Message-----
From: Utkarsh Gupta <utkarsh@debian.org> 
Sent: Saturday, March 13, 2021 11:10 AM
To: Damon Tivel <dtivel@microsoft.com>; Michael Simons (.NET) <Michael.Simons@microsoft.com>
Cc: debian-lts@lists.debian.org; 962596@bugs.debian.org; Jon Douglas <jodou@microsoft.com>
Subject: [EXTERNAL] Re: Bug#962596: Backport to stretch?

Hi Damon, Michael,

On Sat, Mar 13, 2021 at 9:55 PM Utkarsh Gupta <utkarsh@debian.org> wrote:
> So the upload should happen by this weekend!

This fix has now been patched, uploaded, accepted, and announced[1].
[1]: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.debian.org%2Fdebian-lts-announce%2F2021%2F03%2Fmsg00016.html&amp;data=04%7C01%7Cdtivel%40microsoft.com%7Cb5a86e2948784d65470108d8e653b8c6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637512594848578747%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=H%2BKizOZq2OXLdWF6H4F1x3vAzu8C385ScPXnq0fnqzQ%3D&amp;reserved=0

This also means that the G/H issue
(https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNuGet%2FAnnouncements%2Fissues%2F49&amp;data=04%7C01%7Cdtivel%40microsoft.com%7Cb5a86e2948784d65470108d8e653b8c6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637512594848578747%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=FcWcz%2FigjEKS7CFn%2F60KVCsu8HRait8YELkKDvXW0%2Bw%3D&amp;reserved=0) can now be updated to mark Debian 9 ("stretch") as resolved. Should you need any more information or help with this, please let me know.


- u

Message #147 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Thorsten Glaser <tg@debian.org>, 962596@bugs.debian.org

Subject: Re: Bug#962596: Divergence in Symantec CA blacklist reverting between sid and *stable?

Date: Mon, 15 Mar 2021 14:58:42 +0100

On Sat, Mar 13, 2021 at 08:32:32PM +0000, Thorsten Glaser wrote:
> Hi,
> 
> the changelogs seem to differ in re-added certificates:
> 
Yes, they're different.  I'm not sure what you're asking.

Cheers,
Julien

Message #152 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@debian.org>

To: Julien Cristau <jcristau@debian.org>

Cc: 962596@bugs.debian.org

Subject: Re: Bug#962596: Divergence in Symantec CA blacklist reverting between sid and *stable?

Date: Mon, 15 Mar 2021 17:44:44 +0000 (UTC)

Hi Julien,

>Yes, they're different.  I'm not sure what you're asking.

the reason for the difference; sorry if I was unclear.

Thanks,
//mirabilos
-- 
18:47⎜<mirabilos:#!/bin/mksh> well channels… you see, I see everything in the
same window anyway      18:48⎜<xpt:#!/bin/mksh> i know, you have some kind of
telnet with automatic pong         18:48⎜<mirabilos:#!/bin/mksh> haha, yes :D
18:49⎜<mirabilos:#!/bin/mksh> though that's more tinyirc – sirc is more comfy

Message #157 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Thorsten Glaser <tg@debian.org>

Cc: 962596@bugs.debian.org

Subject: Re: Bug#962596: Divergence in Symantec CA blacklist reverting between sid and *stable?

Date: Mon, 15 Mar 2021 19:00:17 +0100

On Mon, Mar 15, 2021 at 05:44:44PM +0000, Thorsten Glaser wrote:
> Hi Julien,
> 
> >Yes, they're different.  I'm not sure what you're asking.
> 
> the reason for the difference; sorry if I was unclear.
> 
They're different versions of the mozilla root store, so they include
different sets of CA certificates.

Cheers,
Julien

Message #162 received at 962596@bugs.debian.org (full text, mbox, reply):

From: Loïc Sharma <Loic.Sharma@microsoft.com>

To: "962596@bugs.debian.org" <962596@bugs.debian.org>

Subject: Re: Bug#962596: Divergence in Symantec CA blacklist reverting

Date: Wed, 7 Apr 2021 19:30:44 +0000

[Message part 1 (text/plain, inline)]

Hello,

I am from the NuGet team at Microsoft. Network Security Services (NSS) 3.63 and newer distrusts Symantec which will cause failures when installing NuGet packages. For more information, please see:


  *   https://github.com/dotnet/announcements/issues/180
  *   https://github.com/NuGet/Announcements/issues/56

Does Debian have a timeline for when it will update to NSS 3.63 or newer? Will this result in Debian distrusting the Symantec CA again, or will the allowlist from DLA 2593-1<https://lists.debian.org/debian-lts-announce/2021/03/msg00016.html> be kept? If this causes Debian to distrust Symantec CA, which versions of Debian will be affected?

Best,
Loic

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.