20111025 (patches unapplied)

Imported using git-ubuntu import.
[ Michael Shuler ] * Add 3.0 (native) source format * Add Vcs-Git/Browser fields * Add myself as new Maintainer with Uploaders Closes: #588219 * Update mozilla/certdata.txt to latest (NSS branch version 1.64.2.13) Certificates added (+) and removed (-): + "AffirmTrust Commercial" + "AffirmTrust Networking" + "AffirmTrust Premium" + "AffirmTrust Premium ECC" + "A-Trust-nQual-03" + "Bogus Global Trustee" + "Bogus GMail" + "Bogus Google" + "Bogus kuix.de" + "Bogus live.com" + "Bogus Mozilla Addons" + "Bogus Skype" + "Bogus Yahoo 1" + "Bogus Yahoo 2" + "Bogus Yahoo 3" + "Certinomis - Autorité Racine" + "Certum Trusted Network CA" + "Explicitly Distrust DigiNotar Cyber CA" + "Explicitly Distrust DigiNotar Cyber CA 2nd" + "Explicitly Distrust DigiNotar Root CA" + "Explicitly Distrust DigiNotar Services 1024 CA" + "Explicitly Distrusted DigiNotar PKIoverheid" + "Explicitly Distrusted DigiNotar PKIoverheid G2" + "Go Daddy Root Certificate Authority - G2" + "Root CA Generalitat Valenciana" + "Starfield Root Certificate Authority - G2" + "Starfield Services Root Certificate Authority - G2" + "TWCA Root Certification Authority" - "AOL Time Warner Root Certification Authority 1" - "AOL Time Warner Root Certification Authority 2" - "DigiNotar Root CA" - "Entrust.net Global Secure Personal CA" - "Entrust.net Global Secure Server CA" - "Entrust.net Secure Personal CA" - "IPS Chained CAs root" - "IPS CLASE1 root" - "IPS CLASE3 root" - "IPS CLASEA1 root" - "IPS CLASEA3 root" - "IPS Timestamping root" - "Thawte Personal Freemail CA" - "Thawte Time Stamping CA" * "Bogus *" CAs above address Comodo MITM 03/11 Closes: #619587 * Update CAcert-Class 3-Subroot-certificate Closes: #630232 [ Steve Langasek ] * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of the way before calling c_rehash, so that symlinks don't accidentally get pointed here, breaking openssl certificate verification LP: #854927 [ Loïc Minier ] * Drop bogus c_rehash on upgrades, which caused issue when ca-certificates.crt was still in place; instead, call update-ca-certificates --fresh on upgrades to this version, and the usual update-ca-certificates otherwise Closes: #643667, #537382
2025-04-13 09:38:26 +00:00 · 2011-10-25 09:12:10 -05:00 · 2011-10-25 09:12:10 -05:00 · 180a63dbb4 · 2020-07-14 23:26:37 +00:00
commit 180a63dbb4
parent 150846320c
10 changed files with 4391 additions and 2810 deletions
--- a/cacert.org/README.asc
+++ b/cacert.org/README.asc
@ -1,5 +1,5 @@
 -----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
+Hash: SHA256

 - -----------------------
 CACert.org Certificate
@ -10,35 +10,45 @@ This certificate has been fetched from the following website:
  http://www.cacert.org/index.php?id=3

 Confirmed the certificate fingerprint with this webpage.
-(Sat Mar  3 21:09:24 PST 2007)
+(Sun Oct 23 21:18:35 CDT 2011)

-% openssl x509 -in root.crt -fingerprint -noout -sha1
+$ openssl x509 -in root.crt -fingerprint -noout -sha1
 SHA1 Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
-% openssl x509 -in root.crt -fingerprint -noout -md5
+$ openssl x509 -in root.crt -fingerprint -noout -md5
 MD5 Fingerprint=A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B

-% openssl x509 -in class3.crt -fingerprint -noout -sha1
-SHA1 Fingerprint=DB:4C:42:69:07:3F:E9:C2:A3:7D:89:0A:5C:1B:18:C4:18:4E:2A:2D
-% openssl x509 -in class3.crt -fingerprint -noout -md5
-MD5 Fingerprint=73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6
+$ openssl x509 -in class3.crt -fingerprint -noout -sha1
+SHA1 Fingerprint=AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
+$ openssl x509 -in class3.crt -fingerprint -noout -md5
+MD5 Fingerprint=F7:25:12:82:4E:67:B5:D0:8D:92:B7:7C:0B:86:7A:42

-
-% LANG=C gpg --verify cacert-fingerprint.asc
-gpg: Signature made Thu Sep  4 14:57:45 2003 JST using DSA key ID 65D0FD58
+$ LANG=C gpg --verify cacert-fingerprint.asc
+gpg: Signature made Thu Sep  4 00:57:45 2003 CDT using DSA key ID 65D0FD58
 gpg: Good signature from "CA Cert Signing Authority (Root CA) <gpg@cacert.org>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
 Primary key fingerprint: A31D 4F81 EF4E BD07 B456  FA04 D2BB 0D01 65D0 FD58
-% LANG=C gpg --verify cacert-gpg-fingerprint.asc
-gpg: Signature made Mon Feb 14 14:10:37 2005 JST using DSA key ID 65D0FD58
+$ LANG=C gpg --verify cacert-gpg-fingerprint.asc
+gpg: Signature made Sun Feb 13 23:10:37 2005 CST using DSA key ID 65D0FD58
 gpg: Good signature from "CA Cert Signing Authority (Root CA) <gpg@cacert.org>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
 Primary key fingerprint: A31D 4F81 EF4E BD07 B456  FA04 D2BB 0D01 65D0 FD58
+
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.6 (GNU/Linux)
+Version: GnuPG v1.4.11 (GNU/Linux)

-iD8DBQFF6lZ/9D5yZjzIjAkRAoKZAJ4/a88lHTpQeOYM3XmI2Wz/0O9logCfSueg
-/3XI31ro/sD9YxNIwKM1u8s=
-=8mz7
+iQIcBAEBCAAGBQJOpNDeAAoJEKJ4t4H+SyvajrQP/2v2x9JerwNLfWHpgHm2rjHI
+r8gHCSPD5SGtnSAwr8FrpGcbPRDwm8a8pLnCu8+X/LUcNU0qLikhB1n9Wv1mkPrb
+IFMkuz6z5GLp2Jo0uyO5vhoJxiaRAAbk6gjt8cGw7Lxfio+ckwjlYeTY3fkRgzu+
+WwWfDPUbsG2wGPuAxVZL9gzCmCrRN2v6XxTRk84rngiDR3J7Q4MEe5qDdEyCdoqp
+lBF0WS1fpNx9JSHaAkEqbl/Hffi+8XuzZpbDV1NouKf72JSQtvmf7en/0U9JMHA7
+/D156DXKMgUjyQSBPQ0BS+Fdh2ta/8of/SWLGKZtoC1DGtfRtmk3Mfbc94zPoH+w
+jRcmp9J0wcJndXUWU7d8XNaBF/c83xpGjt1HsiKIVDFh4HAU5VPNYm70YWDKoDWJ
+fQWVhG11PDTgz17FPKNlYCHKg5P8B05xR/Z3C6DyQCKV0wCXoAmV6giafC27nSVy
+pcchrYh80cqrgN0Fw8zXIlNu+8nFVyKWhtVsShmynBq4VoKnFM34+wmeWlv/Ym4F
+u3yrucY14Ucg+0pH4GFxFz+4vIZaV7pZ01LHLUC72Ja5/w8w0vvtOQlBx/+jI8Kk
+61ar2IAR3q4FtNmAiWGFDjsuzxD/TKatzwBvCL+RGZkR5IJFnmMv4YyYpuX1PwSx
+G/+ndT6YKiwegPvBacvj
+=ahp2
 -----END PGP SIGNATURE-----
--- a/cacert.org/class3.crt
+++ b/cacert.org/class3.crt
@ -1,35 +1,42 @@
 -----BEGIN CERTIFICATE-----
-MIIGCDCCA/CgAwIBAgIBATANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
-IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
-IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
-Y2FjZXJ0Lm9yZzAeFw0wNTEwMTQwNzM2NTVaFw0zMzAzMjgwNzM2NTVaMFQxFDAS
-BgNVBAoTC0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5v
-cmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCrSTURSHzSJn5TlM9Dqd0o10Iqi/OHeBlYfA+e2ol9
-4fvrcpANdKGWZKufoCSZc9riVXbHF3v1BKxGuMO+f2SNEGwk82GcwPKQ+lHm9WkB
-Y8MPVuJKQs/iRIwlKKjFeQl9RrmK8+nzNCkIReQcn8uUBByBqBSzmGXEQ+xOgo0J
-0b2qW42S0OzekMV/CsLj6+YxWl50PpczWejDAz1gM7/30W9HxM3uYoNSbi4ImqTZ
-FRiRpoWSR7CuSOtttyHshRpocjWr//AQXcD0lKdq1TuSfkyQBX6TwSyLpI5idBVx
-bgtxA+qvFTia1NIFcm+M+SvrWnIl+TlG43IbPgTDZCciECqKT1inA62+tC4T7V2q
-SNfVfdQqe1z6RgRQ5MwOQluM7dvyz/yWk+DbETZUYjQ4jwxgmzuXVjit89Jbi6Bb
-6k6WuHzX1aCGcEDTkSm3ojyt9Yy7zxqSiuQ0e8DYbF/pCsLDpyCaWt8sXVJcukfV
-m+8kKHA4IC/VfynAskEDaJLM4JzMl0tF7zoQCqtwOpiVcK01seqFK6QcgCExqa5g
-eoAmSAC4AcCTY1UikTxW56/bOiXzjzFU6iaLgVn5odFTEcV7nQP2dBHgbbEsPyyG
-kZlxmqZ3izRg0RS0LKydr4wQ05/EavhvE/xzWfdmQnQeiuP43NJvmJzLR5iVQAX7
-6QIDAQABo4G/MIG8MA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUHAQEEUTBPMCMG
-CCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggrBgEFBQcwAoYc
-aHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBBMD8GCCsGAQQB
-gZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9pbmRleC5w
-aHA/aWQ9MTAwDQYJKoZIhvcNAQEEBQADggIBAH8IiKHaGlBJ2on7oQhy84r3HsQ6
-tHlbIDCxRd7CXdNlafHCXVRUPIVfuXtCkcKZ/RtRm6tGpaEQU55tiKxzbiwzpvD0
-nuB1wT6IRanhZkP+VlrRekF490DaSjrxC1uluxYG5sLnk7mFTZdPsR44Q4Dvmw2M
-77inYACHV30eRBzLI++bPJmdr7UpHEV5FpZNJ23xHGzDwlVks7wU4vOkHx4y/CcV
-Bc/dLq4+gmF78CEQGPZE6lM5+dzQmiDgxrvgu1pPxJnIB721vaLbLmINQjRBvP+L
-ivVRIqqIMADisNS8vmW61QNXeZvo3MhN+FDtkaVSKKKs+zZYPumUK5FQhxvWXtaM
-zPcPEAxSTtAWYeXlCmy/F8dyRlecmPVsYGN6b165Ti/Iubm7aoW8mA3t+T6XhDSU
-rgCvoeXnkm5OvfPi2RSLXNLrAWygF6UtEOucekq9ve7O/e0iQKtwOIj1CodqwqsF
-YMlIBdpTwd5Ed2qz8zw87YC8pjhKKSRf/lk7myV6VmMAZLldpGJ9VzZPrYPvH5JT
-oI53V93lYRE9IwCQTDz6o2CTBKOvNfYOao9PSmCnhQVsRqGP9Md246FZV/dxssRu
-FFxtbUFm3xuTsdQAw+7Lzzw9IYCpX2Nl/N3gX6T0K/CFcUHUZyX7GrGXrtaZghNB
-0m6lG5kngOcLqagA
+MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTExMDUyMzE3NDgwMloXDTIxMDUyMDE3NDgwMlowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjggINMIICCTAdBgNVHQ4EFgQUdahxYEyIE/B42Yl3tW3Fid+8sXow
+gaMGA1UdIwSBmzCBmIAUFrUyG9TH8+DmjvO90rA67rI5GNGhfaR7MHkxEDAOBgNV
+BAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAG
+A1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYS
+c3VwcG9ydEBjYWNlcnQub3JnggEAMA8GA1UdEwEB/wQFMAMBAf8wXQYIKwYBBQUH
+AQEEUTBPMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5DQWNlcnQub3JnLzAoBggr
+BgEFBQcwAoYcaHR0cDovL3d3dy5DQWNlcnQub3JnL2NhLmNydDBKBgNVHSAEQzBB
+MD8GCCsGAQQBgZBKMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9pbmRleC5waHA/aWQ9MTAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly93d3cuQ0Fj
+ZXJ0Lm9yZy9pbmRleC5waHA/aWQ9MTAwUAYJYIZIAYb4QgENBEMWQVRvIGdldCB5
+b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSwgZ28gdG8gaHR0cDovL3d3dy5D
+QWNlcnQub3JnMA0GCSqGSIb3DQEBCwUAA4ICAQApKIWuRKm5r6R5E/CooyuXYPNc
+7uMvwfbiZqARrjY3OnYVBFPqQvX56sAV2KaC2eRhrnILKVyQQ+hBsuF32wITRHhH
+Va9Y/MyY9kW50SD42CEH/m2qc9SzxgfpCYXMO/K2viwcJdVxjDm1Luq+GIG6sJO4
+D+Pm1yaMMVpyA4RS5qb1MyJFCsgLDYq4Nm+QCaGrvdfVTi5xotSu+qdUK+s1jVq3
+VIgv7nSf7UgWyg1I0JTTrKSi9iTfkuO960NAkW4cGI5WtIIS86mTn9S8nK2cde5a
+lxuV53QtHA+wLJef+6kzOXrnAzqSjiL2jA3k2X4Ndhj3AfnvlpaiVXPAPHG0HRpW
+Q7fDCo1y/OIQCQtBzoyUoPkD/XFzS4pXM+WOdH4VAQDmzEoc53+VGS3FpQyLu7Xt
+hbNc09+4ufLKxw0BFKxwWMWMjTPUnWajGlCVI/xI4AZDEtnNp4Y5LzZyo4AQ5OHz
+0ctbGsDkgJp8E3MGT9ujayQKurMcvEp4u+XjdTilSKeiHq921F73OIZWWonO1sOn
+ebJSoMbxhbQljPI/lrMQ2Y1sVzufb4Y6GIIiNsiwkTjbKqGTqoQ/9SdlrnPVyNXT
+d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
+4GGSt/M3mMS+lqO3ig==
 -----END CERTIFICATE-----
--- a/debian/NEWS
+++ b/debian/NEWS
@ -1,3 +1,54 @@
+ca-certificates (20111025) unstable; urgency=low
+
+  * Update mozilla/certdata.txt to latest (NSS branch version 1.64.2.13)
+    Certificates added (+) and removed (-):
+    + "AffirmTrust Commercial"
+    + "AffirmTrust Networking"
+    + "AffirmTrust Premium"
+    + "AffirmTrust Premium ECC"
+    + "A-Trust-nQual-03"
+    + "Bogus Global Trustee"
+    + "Bogus GMail"
+    + "Bogus Google"
+    + "Bogus kuix.de"
+    + "Bogus live.com"
+    + "Bogus Mozilla Addons"
+    + "Bogus Skype"
+    + "Bogus Yahoo 1"
+    + "Bogus Yahoo 2"
+    + "Bogus Yahoo 3"
+    + "Certinomis - Autorité Racine"
+    + "Certum Trusted Network CA"
+    + "Explicitly Distrust DigiNotar Cyber CA"
+    + "Explicitly Distrust DigiNotar Cyber CA 2nd"
+    + "Explicitly Distrust DigiNotar Root CA"
+    + "Explicitly Distrust DigiNotar Services 1024 CA"
+    + "Explicitly Distrusted DigiNotar PKIoverheid"
+    + "Explicitly Distrusted DigiNotar PKIoverheid G2"
+    + "Go Daddy Root Certificate Authority - G2"
+    + "Root CA Generalitat Valenciana"
+    + "Starfield Root Certificate Authority - G2"
+    + "Starfield Services Root Certificate Authority - G2"
+    + "TWCA Root Certification Authority"
+    - "AOL Time Warner Root Certification Authority 1"
+    - "AOL Time Warner Root Certification Authority 2"
+    - "DigiNotar Root CA"
+    - "Entrust.net Global Secure Personal CA"
+    - "Entrust.net Global Secure Server CA"
+    - "Entrust.net Secure Personal CA"
+    - "IPS Chained CAs root"
+    - "IPS CLASE1 root"
+    - "IPS CLASE3 root"
+    - "IPS CLASEA1 root"
+    - "IPS CLASEA3 root"
+    - "IPS Timestamping root"
+    - "Thawte Personal Freemail CA"
+    - "Thawte Time Stamping CA"
+  * "Bogus *" CAs above address Comodo MITM 03/11  Closes: #619587
+  * Update CAcert-Class 3-Subroot-certificate  Closes: #630232
+
+ -- Michael Shuler <michael@pbandjelly.org>  Sun, 23 Oct 2011 23:16:57 -0500
+
 ca-certificates (20090708) unstable; urgency=low

  * Removed CA files:
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,69 @@
+ca-certificates (20111025) unstable; urgency=low
+
+  [ Michael Shuler ]
+  * Add 3.0 (native) source format
+  * Add Vcs-Git/Browser fields
+  * Add myself as new Maintainer with Uploaders  Closes: #588219
+  * Update mozilla/certdata.txt to latest (NSS branch version 1.64.2.13)
+    Certificates added (+) and removed (-):
+    + "AffirmTrust Commercial"
+    + "AffirmTrust Networking"
+    + "AffirmTrust Premium"
+    + "AffirmTrust Premium ECC"
+    + "A-Trust-nQual-03"
+    + "Bogus Global Trustee"
+    + "Bogus GMail"
+    + "Bogus Google"
+    + "Bogus kuix.de"
+    + "Bogus live.com"
+    + "Bogus Mozilla Addons"
+    + "Bogus Skype"
+    + "Bogus Yahoo 1"
+    + "Bogus Yahoo 2"
+    + "Bogus Yahoo 3"
+    + "Certinomis - Autorité Racine"
+    + "Certum Trusted Network CA"
+    + "Explicitly Distrust DigiNotar Cyber CA"
+    + "Explicitly Distrust DigiNotar Cyber CA 2nd"
+    + "Explicitly Distrust DigiNotar Root CA"
+    + "Explicitly Distrust DigiNotar Services 1024 CA"
+    + "Explicitly Distrusted DigiNotar PKIoverheid"
+    + "Explicitly Distrusted DigiNotar PKIoverheid G2"
+    + "Go Daddy Root Certificate Authority - G2"
+    + "Root CA Generalitat Valenciana"
+    + "Starfield Root Certificate Authority - G2"
+    + "Starfield Services Root Certificate Authority - G2"
+    + "TWCA Root Certification Authority"
+    - "AOL Time Warner Root Certification Authority 1"
+    - "AOL Time Warner Root Certification Authority 2"
+    - "DigiNotar Root CA"
+    - "Entrust.net Global Secure Personal CA"
+    - "Entrust.net Global Secure Server CA"
+    - "Entrust.net Secure Personal CA"
+    - "IPS Chained CAs root"
+    - "IPS CLASE1 root"
+    - "IPS CLASE3 root"
+    - "IPS CLASEA1 root"
+    - "IPS CLASEA3 root"
+    - "IPS Timestamping root"
+    - "Thawte Personal Freemail CA"
+    - "Thawte Time Stamping CA"
+  * "Bogus *" CAs above address Comodo MITM 03/11  Closes: #619587
+  * Update CAcert-Class 3-Subroot-certificate  Closes: #630232
+
+  [ Steve Langasek ]
+  * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of
+    the way before calling c_rehash, so that symlinks don't accidentally get
+    pointed here, breaking openssl certificate verification  LP: #854927
+
+  [ Loïc Minier ]
+  * Drop bogus c_rehash on upgrades, which caused issue when
+    ca-certificates.crt was still in place; instead, call
+    update-ca-certificates --fresh on upgrades to this version, and
+    the usual update-ca-certificates otherwise  Closes: #643667, #537382
+
+ -- Michael Shuler <michael@pbandjelly.org>  Tue, 25 Oct 2011 09:12:10 -0500
+
 ca-certificates (20111022) unstable; urgency=low

  * QA upload.
--- a/debian/config
+++ b/debian/config
--- a/debian/control
+++ b/debian/control
@ -1,10 +1,15 @@
 Source: ca-certificates
 Section: misc
 Priority: optional
-Maintainer: Debian QA Group <packages@qa.debian.org>
+Maintainer: Michael Shuler <michael@pbandjelly.org>
+Uploaders: Raphael Geissert <geissert@debian.org>,
+           Thijs Kinkhorst <thijs@debian.org>,
+           Christian Perrier <bubulle@debian.org>
 Build-Depends: debhelper (>= 8), po-debconf
 Build-Depends-Indep: python
 Standards-Version: 3.9.2
+Vcs-Git: git://git.debian.org/git/collab-maint/ca-certificates.git
+Vcs-Browser: http://git.debian.org/?p=collab-maint/ca-certificates.git

 Package: ca-certificates
 Architecture: all
--- a/debian/postinst
+++ b/debian/postinst
@ -137,13 +137,12 @@ EOF
 	        -e 's/^[[:space:]]*1[[:space:]]*/!/' \
 	    >> /etc/ca-certificates.conf
 	fi
-	update-ca-certificates
-	# Call c_rehash when upgrading from older versions to that we
-	# have both the old and new style of symlink
-	if [ ! -z "$2" ]; then
-	  if dpkg --compare-versions "$2" le 20090814+nmu3; then
-	    c_rehash
-	  fi
+	# fix bogus symlink to ca-certificates.crt on upgrades; see
+	# Debian #643667; drop after wheezy
+	if dpkg --compare-versions "$2" lt-nl 20111025; then
+	    update-ca-certificates --fresh
+	else
+	    update-ca-certificates
 	fi
    ;;

--- a/debian/source/format
+++ b/debian/source/format
@ -0,0 +1 @@
+3.0 (native)
--- a/mozilla/certdata.txt
+++ b/mozilla/certdata.txt
--- a/sbin/update-ca-certificates
+++ b/sbin/update-ca-certificates
@ -127,8 +127,7 @@ then
  done
 fi

-chmod 0644 "$TEMPBUNDLE"
-mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+rm -f "$CERTBUNDLE"

 ADDED_CNT=$(wc -l < "$ADDED")
 REMOVED_CNT=$(wc -l < "$REMOVED")
@ -144,6 +143,9 @@ then
  fi
 fi

+chmod 0644 "$TEMPBUNDLE"
+mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+
 echo "$ADDED_CNT added, $REMOVED_CNT removed; done."

 HOOKSDIR=/etc/ca-certificates/update.d