ports/160455: security/ca_root_nss: extracts untrusted certificates to trust bundle
Matthias Andree
mandree at FreeBSD.org
Sun Sep 4 13:10:14 UTC 2011
>Number: 160455
>Category: ports
>Synopsis: security/ca_root_nss: extracts untrusted certificates to trust bundle
>Confidential: no
>Severity: critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Sep 04 13:10:13 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Matthias Andree
>Release: FreeBSD 8.2-STABLE amd64
>Organization:
>Environment:
System: FreeBSD apollo.emma.line.org 8.2-STABLE FreeBSD 8.2-STABLE #14: Tue Aug 30 15:35:18 CEST 2011 toor at apollo.emma.line.org:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
The ca-bundle.pl script that versions of ca_root_nss before 3.12.11
downloaded from apache13's mod_ssl would extract ALL certificates into
the output bundle regardless of if Mozilla had marked them untrusted in
their certdata.txt database.
As a consequence, those untrusted certification authorities were trusted
by GnuTLS or OpenSSL when these libraries were loaded with the CA bundle
generated by older ca-bundle.pl versions.
A new 3.12.11 version of ca_root_nss will use its own script that heeds
_UNTRUSTED markers.
>How-To-Repeat:
>Fix:
about to be committed
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list