diff options
| author | Michael Shuler <michael@pbandjelly.org> | 2018-03-29 22:11:18 -0600 |
|---|---|---|
| committer | Michael Shuler <michael@pbandjelly.org> | 2018-03-29 22:11:18 -0600 |
| commit | 82051fd0037f9f1ba4dbb713fbe68e333523d498 (patch) | |
| tree | f5c111776a12b2fadde54825af1be0cc440b40cb | |
| parent | 642d5381628560eb7a6311e208927d2fe70119d7 (diff) | |
| download | ca-certificates-82051fd0037f9f1ba4dbb713fbe68e333523d498.tar.gz | |
Update mozilla/blacklist.txt
- remove certificates no longer in certdata.txt
- explicitly ignore distrusted certificates to prevent build errors
| -rw-r--r-- | debian/changelog | 3 | ||||
| -rw-r--r-- | mozilla/blacklist.txt | 30 |
2 files changed, 13 insertions, 20 deletions
diff --git a/debian/changelog b/debian/changelog index 118146d..0f7aa82 100644 --- a/debian/changelog +++ b/debian/changelog @@ -36,6 +36,9 @@ ca-certificates (20180329) UNRELEASED; urgency=medium - "TURKTRUST Certificate Services Provider Root 2007" - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" - "UTN USERFirst Hardware Root CA" + * mozilla/blacklist.txt + Update blacklist to remove certificates no longer in certdata.txt and + explicitly ignore distrusted certificates. * debian/copyright: Fix lintian insecure-copyright-format-uri with https URL. * debian/changelog: diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt index 6ea1732..37f515c 100644 --- a/mozilla/blacklist.txt +++ b/mozilla/blacklist.txt @@ -1,23 +1,13 @@ # One blacklist entry per line, corresponding to the label in certdata.txt. -# MD5 Collision Proof of Concept CA -"MD5 Collisions Forged Rogue CA 25c3" +# Blacklist explicitly distrusted certificates to explicitly ignore them and prevent build errors +"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)" +"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)" +"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)" +"Explicitly Distrust DigiNotar Root CA" +"Explicitly Distrusted DigiNotar PKIoverheid G2" +"MITM subCA 1 issued by Trustwave" +"MITM subCA 2 issued by Trustwave" +"TURKTRUST Mis-issued Intermediate CA 1" +"TURKTRUST Mis-issued Intermediate CA 2" -# DigiNotar Root CA (see debbug#639744) -"DigiNotar Root CA" - -# StartCom and WoSign certificates are now untrusted by the major browser -# vendors[0]. See [1] for discussion. The list was generated by: -# -# $ egrep 'WoSign|StartCom' mozilla/certdata.txt \ -# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq -# -# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ -# [1] https://bugs.debian.org/858539 -# -"StartCom Certification Authority" -"StartCom Certification Authority G2" -"WoSign" -"WoSign China" -"Certification Authority of WoSign G2" -"CA WoSign ECC Root" |