From 0a3d07219fca7aa5f6a5af8129ab851f0723ab6c Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Fri, 19 May 2017 16:53:16 +0200
Subject: [PATCH] 20161130+nmu1 (patches unapplied)

Imported using git-ubuntu import.
---
 debian/changelog      |  8 ++++++++
 mozilla/blacklist.txt | 16 ++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index c77ea5c..e77ed8f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ca-certificates (20161130+nmu1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
+    now untrusted by the major browser vendors. Closes: #858539
+
+ -- Chris Lamb <lamby@debian.org>  Fri, 19 May 2017 16:53:16 +0200
+
 ca-certificates (20161130) unstable; urgency=medium
 
   [ Philipp Kern ]
diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt
index 911f9f1..6ea1732 100644
--- a/mozilla/blacklist.txt
+++ b/mozilla/blacklist.txt
@@ -5,3 +5,19 @@
 
 # DigiNotar Root CA (see debbug#639744)
 "DigiNotar Root CA"
+
+# StartCom and WoSign certificates are now untrusted by the major browser
+# vendors[0]. See [1] for discussion. The list was generated by:
+#
+#   $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
+#         | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
+#
+# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
+# [1] https://bugs.debian.org/858539
+#
+"StartCom Certification Authority"
+"StartCom Certification Authority G2"
+"WoSign"
+"WoSign China"
+"Certification Authority of WoSign G2"
+"CA WoSign ECC Root"