Debian alert DLA-2593-1 (ca-certificates)
| From: | Utkarsh Gupta <utkarsh@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 2593-1] ca-certificates whitelist Symantec CA | |
| Date: | Sun, 14 Mar 2021 00:27:53 +0530 | |
| Message-ID: | <CAPP0f94ACSPotLp3yCY+qkDw4h6cZopQtncq0K6SYfmsX0kZcQ@mail.gmail.com> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2593-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta March 14, 2021 https://wiki.debian.org/LTS - ----------------------------------------------------------------------- Package : ca-certificates Version : 20200601~deb9u2 Debian Bug : 962596 This update reverts the Symantec CA blacklist (which was originally #911289). The following root certificates were added back (+): + "GeoTrust Global CA" + "GeoTrust Primary Certification Authority" + "GeoTrust Primary Certification Authority - G2" + "GeoTrust Primary Certification Authority - G3" + "GeoTrust Universal CA" + "thawte Primary Root CA" + "thawte Primary Root CA - G2" + "thawte Primary Root CA - G3" + "VeriSign Class 3 Public Primary Certification Authority - G4" + "VeriSign Class 3 Public Primary Certification Authority - G5" + "VeriSign Universal Root Certification Authority" NOTE: due to bug #743339, CA certificates added back in this version won't automatically be trusted again on upgrade. Affected users may need to reconfigure the package to restore the desired state. For Debian 9 stretch, this problem has been fixed in version 20200601~deb9u2. We recommend that you upgrade your ca-certificates packages. For the detailed security status of ca-certificates please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ca-certificates Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmBNCv8ACgkQgj6WdgbD S5aqbxAAue4UEfOGqdQG1YSG8Semu+DtEpfCG+Z4Z7bWOQ4ykuhhRdfWWR0D3Y8F A1QANjLVwubdUfecO+B2hzC7RiQX9N87JcT8jaAzRfsh4rC6iK00uNAAhsYgpR49 mrMHLz4e8FMR6EBCQHLaKErnU1BGUl+QDEI/gebM6oNR8hpKgAyJzFPeYWK0BIhj /OMgWlpKZzOshO3/Bi1GHw/EjWp8WzBfzEdShiNziaoZOQ4LM0Olrx7p1lLOIwaA KEiQ5yjVvD1CmnNLMv9lXhQjrl2Dq4NH+euxROxMgtO9iPe4njqW/5FMhVk9n8k7 rmFB9tl9HAFvw4Iqrr61uSClrUPeMkklR4n+CrGTjlP74rtOniGCa1jj3Id5+zgH NxNBd0Dw2peOvEyJM64XTOK2amGii0gEQDCcEtrojwjVyWOlHyb9Lw1eB2emJJlq hO55teymF/k4T5R350eDe6rbmeKu+mTt6sopGtarjDla6aqnSFOvnvZjdj4ED1uz iXIdHth6cKEkCeEfM8ygosTsxgYeJZ4AtIQFGZ0eOK61gtsqlsVxspasfqKzJwNL NyuSEfPZzzMABo52iAKiTChR4eemASf+aDkH6m+BRe5T7vqTc+9MXh0EOMu7w1Bw tM/W13zUlLe0AXobJ9N8TJGddky4Fsa81t4fkzPBLCvPL6ZnP/w= =2JAb -----END PGP SIGNATURE-----