public-mirrors/ca-certificates
1
0
Fork 0
mirror of https://git.launchpad.net/ubuntu/+source/ca-certificates synced 2025-08-05 16:59:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

20180409 (patches unapplied)

Browse source 
Imported using git-ubuntu import.
This commit is contained in:
Michael Shuler 2018-04-09 18:43:49 -05:00 committed by git-ubuntu importer
parent 47e49e1e0a
commit 7b954313d4
Notes: git-ubuntu importer 2020-07-14 23:32:26 +00:00 
  [ Michael Shuler ]
  * mozilla/{certdata.txt,nssckbi.h}:
    Update Mozilla certificate authority bundle to version 2.22.
    The following certificate authorities were added (+):
    + "GDCA TrustAUTH R5 ROOT"
    + "SSL.com EV Root Certification Authority ECC"
    + "SSL.com EV Root Certification Authority RSA R2"
    + "SSL.com Root Certification Authority ECC"
    + "SSL.com Root Certification Authority RSA"
    + "TrustCor ECA-1"
    + "TrustCor RootCert CA-1"
    + "TrustCor RootCert CA-2"
    The following certificate authorities were removed (-):
    - "ACEDICOM Root"
    - "AddTrust Low-Value Services Root"
    - "AddTrust Public Services Root"
    - "AddTrust Qualified Certificates Root"
    - "CA Disig Root R1"
    - "CNNIC ROOT"
    - "Camerfirma Chambers of Commerce Root"
    - "Camerfirma Global Chambersign Root"
    - "Certinomis - Autorité Racine"
    - "Certum Root CA"
    - "China Internet Network Information Center EV Certificates Root"
    - "Comodo Secure Services root"
    - "Comodo Trusted Services root"
    - "DST ACES CA X6"
    - "GeoTrust Global CA 2"
    - "PSCProcert"
    - "Security Communication EV RootCA1"
    - "Swisscom Root CA 1"
    - "Swisscom Root CA 2"
    - "Swisscom Root EV CA 2"
    - "TURKTRUST Certificate Services Provider Root 2007"
    - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
    - "UTN USERFirst Hardware Root CA"
  * mozilla/blacklist.txt
    Update blacklist to remove certificates no longer in certdata.txt and
    explicitly ignore distrusted certificates.
  * debian/copyright:
    Fix lintian insecure-copyright-format-uri with https URL.
  * debian/changelog:
    Fix lintian file-contains-trailing-whitespace.
  * debian/{compat,control}:
    Set to debhelper compat 11.
  * Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop
    usage of `c_rehash` script. Closes: #895075
  [ Thijs Kinkhorst ]
  * Remove Christian Perrier from uploaders at his request (closes: #894070).
  * Checked for policy 4.1.4, no changes.
10 changed files with 1466 additions and 7636 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

78
debian/changelog vendored
View file

@ -1,3 +1,59 @@
ca-certificates (20180409) unstable; urgency=medium
[ Michael Shuler ]
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.22.
The following certificate authorities were added (+):
+ "GDCA TrustAUTH R5 ROOT"
+ "SSL.com EV Root Certification Authority ECC"
+ "SSL.com EV Root Certification Authority RSA R2"
+ "SSL.com Root Certification Authority ECC"
+ "SSL.com Root Certification Authority RSA"
+ "TrustCor ECA-1"
+ "TrustCor RootCert CA-1"
+ "TrustCor RootCert CA-2"
The following certificate authorities were removed (-):
- "ACEDICOM Root"
- "AddTrust Low-Value Services Root"
- "AddTrust Public Services Root"
- "AddTrust Qualified Certificates Root"
- "CA Disig Root R1"
- "CNNIC ROOT"
- "Camerfirma Chambers of Commerce Root"
- "Camerfirma Global Chambersign Root"
- "Certinomis - Autorité Racine"
- "Certum Root CA"
- "China Internet Network Information Center EV Certificates Root"
- "Comodo Secure Services root"
- "Comodo Trusted Services root"
- "DST ACES CA X6"
- "GeoTrust Global CA 2"
- "PSCProcert"
- "Security Communication EV RootCA1"
- "Swisscom Root CA 1"
- "Swisscom Root CA 2"
- "Swisscom Root EV CA 2"
- "TURKTRUST Certificate Services Provider Root 2007"
- "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
- "UTN USERFirst Hardware Root CA"
* mozilla/blacklist.txt
Update blacklist to remove certificates no longer in certdata.txt and
explicitly ignore distrusted certificates.
* debian/copyright:
Fix lintian insecure-copyright-format-uri with https URL.
* debian/changelog:
Fix lintian file-contains-trailing-whitespace.
* debian/{compat,control}:
Set to debhelper compat 11.
* Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop
usage of `c_rehash` script. Closes: #895075
[ Thijs Kinkhorst ]
* Remove Christian Perrier from uploaders at his request (closes: #894070).
* Checked for policy 4.1.4, no changes.
-- Michael Shuler <michael@pbandjelly.org> Mon, 09 Apr 2018 18:43:49 -0500
ca-certificates (20170717) unstable; urgency=medium ca-certificates (20170717) unstable; urgency=medium
* Update to Standards-Version: 4.0.1 * Update to Standards-Version: 4.0.1
@ -963,17 +1019,17 @@ ca-certificates (20050518) unstable; urgency=high
* update mozilla/certdata.txt * update mozilla/certdata.txt
add: "Certum Root CA", "Comodo AAA Services root" add: "Certum Root CA", "Comodo AAA Services root"
"Comodo Secure Services root", "Comodo Secure Services root",
"Comodo Trusted Services root", "Comodo Trusted Services root",
"IPS Chained CAs root", "IPS CLASE1 root", "IPS CLASE3 root", "IPS Chained CAs root", "IPS CLASE1 root", "IPS CLASE3 root",
"IPS CLASEA1 root", "IPS CLASEA3 root", "IPS Servidores root" "IPS CLASEA1 root", "IPS CLASEA3 root", "IPS Servidores root"
"IPS Timestamping root", "IPS Timestamping root",
"QuoVadis Root CA", "QuoVadis Root CA",
"Security Communication Root CA", "Security Communication Root CA",
"Sonera Class 1 Root CA", "Sonera Class 2 Root CA", "Sonera Class 1 Root CA", "Sonera Class 2 Root CA",
"Staat der Nederlanden Root CA", "Staat der Nederlanden Root CA",
"TDC Internet Root CA", "TDC OCES Root CA", "TDC Internet Root CA", "TDC OCES Root CA",
"UTN DATACorp SGC Root CA", "UTN USERFirst Email Root CA", "UTN DATACorp SGC Root CA", "UTN USERFirst Email Root CA",
"UTN USERFirst Hardware Root CA", "UTN USERFirst Object Root CA" "UTN USERFirst Hardware Root CA", "UTN USERFirst Object Root CA"
* add CACert.org's Root CA * add CACert.org's Root CA
closes: Bug#213086, Bug#288293 closes: Bug#213086, Bug#288293
* add debian/po/vi.po * add debian/po/vi.po

2
debian/compat vendored
View file

@ -1 +1 @@
10 11

11
debian/control vendored
View file

@ -4,16 +4,15 @@ Priority: optional
Maintainer: Michael Shuler <michael@pbandjelly.org> Maintainer: Michael Shuler <michael@pbandjelly.org>
Uploaders: Raphael Geissert <geissert@debian.org>, Uploaders: Raphael Geissert <geissert@debian.org>,
Thijs Kinkhorst <thijs@debian.org>, Thijs Kinkhorst <thijs@debian.org>,
Christian Perrier <bubulle@debian.org> Build-Depends: debhelper (>= 11), po-debconf
Build-Depends: debhelper (>= 10), po-debconf
Build-Depends-Indep: python, openssl Build-Depends-Indep: python, openssl
Standards-Version: 4.0.1 Standards-Version: 4.1.4
Vcs-Git: https://anonscm.debian.org/git/collab-maint/ca-certificates.git Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
Package: ca-certificates Package: ca-certificates
Architecture: all Architecture: all
Depends: openssl (>= 1.0.0), ${misc:Depends} Depends: openssl (>= 1.1.0), ${misc:Depends}
Enhances: openssl Enhances: openssl
Multi-Arch: foreign Multi-Arch: foreign
Breaks: ca-certificates-java (<<20121112+nmu1) Breaks: ca-certificates-java (<<20121112+nmu1)

2
debian/copyright vendored
View file

@ -1,4 +1,4 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Source: http://ftp.debian.org/debian/pool/main/c/ca-certificates/ Source: http://ftp.debian.org/debian/pool/main/c/ca-certificates/
Files: debian/* Files: debian/*

2
debian/rules vendored
View file

@ -60,7 +60,7 @@ install: build
install -d -m 0755 "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs" install -d -m 0755 "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
(cd mozilla; \ (cd mozilla; \
$(MAKE) install CERTSDIR="$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs") $(MAKE) install CERTSDIR="$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs")
c_rehash -v "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs" openssl rehash -v "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
# Build architecture-independent files here. # Build architecture-independent files here.
binary-indep: build install binary-indep: build install

30
mozilla/blacklist.txt
View file

@ -1,23 +1,13 @@
# One blacklist entry per line, corresponding to the label in certdata.txt. # One blacklist entry per line, corresponding to the label in certdata.txt.
# MD5 Collision Proof of Concept CA # Blacklist explicitly distrusted certificates to explicitly ignore them and prevent build errors
"MD5 Collisions Forged Rogue CA 25c3" "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
"Explicitly Distrust DigiNotar Root CA"
"Explicitly Distrusted DigiNotar PKIoverheid G2"
"MITM subCA 1 issued by Trustwave"
"MITM subCA 2 issued by Trustwave"
"TURKTRUST Mis-issued Intermediate CA 1"
"TURKTRUST Mis-issued Intermediate CA 2"
# DigiNotar Root CA (see debbug#639744)
"DigiNotar Root CA"
# StartCom and WoSign certificates are now untrusted by the major browser
# vendors[0]. See [1] for discussion. The list was generated by:
#
# $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
#
# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
# [1] https://bugs.debian.org/858539
#
"StartCom Certification Authority"
"StartCom Certification Authority G2"
"WoSign"
"WoSign China"
"Certification Authority of WoSign G2"
"CA WoSign ECC Root"

8943
mozilla/certdata.txt
View file

File diff suppressed because it is too large Load diff

4
mozilla/nssckbi.h
View file

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99. * It's recommend to switch back to 0 after having reached version 98/99.
*/ */
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14 #define NSS_BUILTINS_LIBRARY_VERSION_MINOR 22
#define NSS_BUILTINS_LIBRARY_VERSION "2.14" #define NSS_BUILTINS_LIBRARY_VERSION "2.22"
/* These version numbers detail the semantic changes to the ckfw engine. */ /* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

4
sbin/update-ca-certificates
View file

@ -174,9 +174,9 @@ then
# only run if set of files has changed # only run if set of files has changed
if [ "$verbose" = 0 ] if [ "$verbose" = 0 ]
then then
c_rehash . > /dev/null openssl rehash . > /dev/null
else else
c_rehash . openssl rehash .
fi fi
fi fi

4
sbin/update-ca-certificates.8
View file

@ -50,7 +50,7 @@ A summary of options is included below.
Show summary of options. Show summary of options.
.TP .TP
.B \-v, \-\-verbose .B \-v, \-\-verbose
Be verbose. Output \fBc_rehash\fP. Be verbose. Output \fBopenssl rehash\fP.
.TP .TP
.B \-f, \-\-fresh .B \-f, \-\-fresh
Fresh updates. Remove symlinks in /etc/ssl/certs directory. Fresh updates. Remove symlinks in /etc/ssl/certs directory.
@ -69,7 +69,7 @@ Directory of CA certificates.
.I /usr/local/share/ca-certificates .I /usr/local/share/ca-certificates
Directory of local CA certificates (with .crt extension). Directory of local CA certificates (with .crt extension).
.SH SEE ALSO .SH SEE ALSO
.BR c_rehash (1) .BR openssl (1)
.SH AUTHOR .SH AUTHOR
This manual page was written by Fumitoshi UKAI <ukai@debian.or.jp>, This manual page was written by Fumitoshi UKAI <ukai@debian.or.jp>,
for the Debian project (but may be used by others). for the Debian project (but may be used by others).