20190110 (patches unapplied)

Imported using git-ubuntu import.

debian/ca-certificates.postinst

@@ -41,14 +41,14 @@ delca() {
 case "$1" in
     configure)
         if [ ! -e /usr/local/share/ca-certificates ]; then
-            if mkdir -m $(stat -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then
-                chgrp $(stat -c %g /usr/local) /usr/local/share/ca-certificates
+            if mkdir -m $(stat -L -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then
+                chgrp $(stat -L -c %g /usr/local) /usr/local/share/ca-certificates
             fi
         # Handle upgrades and allow local admin to override:
         # e.g. dpkg-statoverride --add root staff 2775 /usr/local/share/ca-certificates
         elif ! dpkg-statoverride --list /usr/local/share/ca-certificates >/dev/null; then
-            chmod $(stat -c %a /usr/local) /usr/local/share/ca-certificates || true
-            chown $(stat -c %u /usr/local):$(stat -c %g /usr/local) /usr/local/share/ca-certificates || true
+            chmod $(stat -L -c %a /usr/local) /usr/local/share/ca-certificates || true
+            chown $(stat -L -c %u /usr/local):$(stat -L -c %g /usr/local) /usr/local/share/ca-certificates || true
         fi
 
         . /usr/share/debconf/confmodule

debian/changelog

@@ -1,3 +1,34 @@
+ca-certificates (20190110) unstable; urgency=high
+
+  * debian/control:
+    Depend on openssl (>= 1.1.1).
+    Set Standards-Version: 4.3.0.1.
+    Set Build-Depends: debhelper-compat (= 12); drop d/compat
+    Remove trailing whitespace from d/changelog.
+  * debian/ca-certificates.postinst:
+    Fix permissions on /usr/local/share/ca-certificates when using symlinks.
+    Closes: #916833
+  * sbin/update-ca-certificates:
+    Remove orphan symlinks found in /etc/ssl/certs to prevent `openssl
+    rehash` from exiting with an error. Closes: #895482, #895473
+    This will also fix removal of user CA certificates from /usr/local without
+    needing to run --fresh. Closes: #911303
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.28.
+    The following certificate authorities were added (+):
+    + "GlobalSign Root CA - R6"
+    + "OISTE WISeKey Global Root GC CA"
+    The following certificate authorities were removed (-):
+    - "Certplus Root CA G1"
+    - "Certplus Root CA G2"
+    - "OpenTrust Root CA G1"
+    - "OpenTrust Root CA G2"
+    - "OpenTrust Root CA G3"
+    - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+    - "Visa eCommerce Root"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Thu, 10 Jan 2019 19:31:31 -0600
+
 ca-certificates (20180409) unstable; urgency=medium
 
   [ Michael Shuler ]
@@ -1195,4 +1226,3 @@ ca-certificates (20020107) unstable; urgency=low
   * Initial Release. closes: Bug#126586
 
  -- Fumitoshi UKAI <ukai@debian.or.jp>  Mon,  7 Jan 2002 21:16:51 +0900
-

debian/compat

@@ -1 +0,0 @@
-11

debian/control

@@ -3,16 +3,16 @@ Section: misc
 Priority: optional
 Maintainer: Michael Shuler <michael@pbandjelly.org>
 Uploaders: Raphael Geissert <geissert@debian.org>,
-           Thijs Kinkhorst <thijs@debian.org>,
-Build-Depends: debhelper (>= 11), po-debconf
+           Thijs Kinkhorst <thijs@debian.org>
+Build-Depends: debhelper-compat (= 12), po-debconf
 Build-Depends-Indep: python, openssl
-Standards-Version: 4.1.4
+Standards-Version: 4.3.0.1
 Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
 Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
 
 Package: ca-certificates
 Architecture: all
-Depends: openssl (>= 1.1.0), ${misc:Depends}
+Depends: openssl (>= 1.1.1), ${misc:Depends}
 Enhances: openssl
 Multi-Arch: foreign
 Breaks: ca-certificates-java (<<20121112+nmu1)

mozilla/nssckbi.h

@@ -32,7 +32,7 @@
  * - whenever possible, if older branches require a modification to the
  *   list, these changes should be made on the main line of development (trunk),
  *   and the older branches should update to the most recent list.
- * 
+ *
  * - ODD minor version numbers are reserved to indicate a snapshot that has
  *   deviated from the main line of development, e.g. if it was necessary
  *   to modify the list on a stable branch.
@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 22
-#define NSS_BUILTINS_LIBRARY_VERSION "2.22"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 28
+#define NSS_BUILTINS_LIBRARY_VERSION "2.28"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

sbin/update-ca-certificates

@@ -172,11 +172,20 @@ REMOVED_CNT=$(wc -l < "$REMOVED")
 if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
 then
   # only run if set of files has changed
+  # Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl rehash`
+  # from exiting with an error. See #895482, #895473.
+  find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan
+  do
+    rm -f "$orphan"
+    if [ "$verbose" = 1 ]; then
+      echo "Removed orphan symlink $orphan"
+    fi
+  done
   if [ "$verbose" = 0 ]
   then
     openssl rehash . > /dev/null
   else
-    openssl rehash .
+    openssl rehash -v .
   fi
 fi