|
|
Log in / Subscribe / Register

Debian alert DLA-4485-1 (ca-certificates)



From:
              rouca@debian.org


To:
              <debian-lts-announce@lists.debian.org>


Subject:
              [SECURITY] [DLA 4485-1] ca-certificates CA certificates update


Date:
              Fri, 20 Feb 2026 22:50:01 +0100


Message-ID:
              <0dc7c45d925db7b92c62dc99bb8ec176@debian.org>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4485-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
February 20, 2026                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ca-certificates
Version        : 20230311+deb12u1~deb11u1
Debian Bug     : 995432 1095913

ca-certificates a package that contains the certificate authorities
shipped with Mozilla's browser to allow SSL-based applications to check
for the authenticity of SSL connections, was updated

Mozilla certificate authority bundle was updated to version 2.60
The following certificate authorities were added (+):
    + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
    + "ANF Secure Server Root CA"
    + "Autoridad de Certificacion Firmaprofesional CIF A62634068"
    + "Certainly Root E1"
    + "Certainly Root R1"
    + "Certum EC-384 CA"
    + "Certum Trusted Root CA"
    + "D-TRUST BR Root CA 1 2020"
    + "D-TRUST EV Root CA 1 2020"
    + "DigiCert TLS ECC P384 Root G5"
    + "DigiCert TLS RSA4096 Root G5"
    + "E-Tugra Global Root CA ECC v3"
    + "E-Tugra Global Root CA RSA v3"
    + "GlobalSign Root R46"
    + "GlobalSign Root E46"
    + "GLOBALTRUST 2020"
    + "HARICA TLS ECC Root CA 2021"
    + "HARICA TLS RSA Root CA 2021"
    + "HiPKI Root CA - G1"
    + "ISRG Root X2"
    + "Security Communication ECC RootCA1"
    + "Security Communication RootCA3"
    + "Telia Root CA v2"
    + "TunTrust Root CA"
    + "vTrus ECC Root CA"
    + "vTrus Root CA"
The following certificate authorities were removed (-):
    - "Chambers of Commerce Root - 2008"
    - "Cybertrust Global Root" (expired)
    - "EC-ACC"
    - "GeoTrust Primary Certification Authority - G2"
    - "Global Chambersign Root - 2008"
    - "GlobalSign Root CA - R2" (expired)
    - "Hellenic Academic and Research Institutions RootCA 2011"
    - "Network Solutions Certificate Authority"
    - "QuoVadis Root CA"
    - "Sonera Class 2 Root CA"
    - "Staat der Nederlanden EV Root CA" (expired)
    - "Staat der Nederlanden Root CA - G3"
    - "Trustis FPS Root CA"
    - "VeriSign Universal Root Certification Authority"

This update add also 2 Sectigo roots that are in active use and causing
interop issues; these roots were included in the Mozilla bundle
version 2.62:
    + Sectigo Public Server Authentication Root E46
    + Sectigo Public Server Authentication Root R46

The expired root certificate "DST Root CA X3" was blacklisted.

Please note that Debian can neither confirm nor deny whether the
certificate authorities whose certificates are included in this package
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system administrator.

For Debian 11 bullseye, this problem has been fixed in version
20230311+deb12u1~deb11u1.

We recommend that you upgrade your ca-certificates packages.

For the detailed security status of ca-certificates please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ca-certificates

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmmY1wkACgkQADoaLapB
CF9+jQ/+OrLQULzbctQfMpZVJC6x2tA25mzb+1oXW4yOueNJsWY6cIdDKO5stg8y
kA860ImOF1oIgQs7un8wE1GOtu5deJBBSpXUXTg19xsWb5ziD60jFUoQlA4dbQ9l
dPFEWwhu5G1U9zkaVHk5YKfDixTqFelC1lbvfb8CGe8/HR8uzJJFaq3yvHenLJEU
av02j8QTQTryeCDnYKmeUeAuiRHWzaj2vyLdNzHRqLVXOMEhfZQ89ULekbZwNPjP
XVjOtYHEkrHRTdky9t1onPZw81vezI54uCufXfGpFvlLul97JfGdpDuU1S0lAmTV
6SmjWMvBVJkGjb9nX+aoiJA8xrrGI536EQ7vKsYtXkMTvr2J3K/M0AT9HZO/s9dy
iU8Ln/WZuNy7AKS3YeYLdvDJZt2Vtw8mra5tF9iJWIFQ3sgx4/9r60AqGhHk07Xy
P9PX9n0vvaMx05EOXzsd1xoEf9sEWgHxXuFov2HaVBWQ7TJVIQd+rJUpqSaTrJtv
wxByzOMQCk2Snca5NR44A0hrFGtnKMPpC+VnbnulOaRm4kmVdqUXW2rxmBygiBsj
eR1eH8HE4+mrv3zc/QpjmEEeXcxQ05+dav7huncmppf53MDFjbFy5d753o4ibHgs
Ygci0HTOuJEGMXOSv2VJrlCPqV5ImxEdl01NsCWzgGELjWNFI24=
=21XP
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds