From 9d6c5602343d2ba4c2e7dfdcad5be8f777929b81 Mon Sep 17 00:00:00 2001
From: Michael Shuler <michael@pbandjelly.org>
Date: Mon, 1 Jun 2020 14:34:10 -0500
Subject: Blacklist expired root certificate, "AddTrust External CA Root"

---
 debian/changelog      | 6 +++++-
 mozilla/blacklist.txt | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 3ce9cfc..df20abc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,8 +8,11 @@ ca-certificates (20200601) unstable; urgency=medium
   * mozilla/{certdata.txt,nssckbi.h}:
     Update Mozilla certificate authority bundle to version 2.40.
     Closes: #956411, #955038
-  * Add distrusted Symantec CA list to blacklist for explicit removal.
+  * mozilla/blacklist.txt
+    Add distrusted Symantec CA list to blacklist for explicit removal.
     Closes: #911289
+    Blacklist expired root certificate, "AddTrust External CA Root"
+    Closes: #961907
     The following certificate authorities were added (+):
     + "Certigna Root CA"
     + "emSign ECC Root CA - C3"
@@ -25,6 +28,7 @@ ca-certificates (20200601) unstable; urgency=medium
     + "UCA Extended Validation Root"
     + "UCA Global G2 Root"
     The following certificate authorities were removed (-):
+    - "AddTrust External CA Root"
     - "Certinomis - Root CA"
     - "Certplus Class 2 Primary CA"
     - "Deutsche Telekom Root CA 2"
diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt
index 8914d97..6873820 100644
--- a/mozilla/blacklist.txt
+++ b/mozilla/blacklist.txt
@@ -33,3 +33,7 @@
 "VeriSign Class 3 Public Primary Certification Authority - G4"
 "VeriSign Class 3 Public Primary Certification Authority - G5"
 "VeriSign Universal Root Certification Authority"
+
+# Blacklist expired certificate (Not After : May 30 10:48:38 2020 GMT)
+# See: https://bugs.debian.org/961907
+"AddTrust External CA Root"
-- 
cgit v1.2.1