Date: Sun, 04 Sep 2011 15:07:21 +0200 From: Matthias Andree <mandree@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/160455: security/ca_root_nss: extracts untrusted certificates to trust bundle Message-ID: <E1R0CPx-000G9W-RK@apollo.emma.line.org> Resent-Message-ID: <201109041310.p84DAEx8012996@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 160455 >Category: ports >Synopsis: security/ca_root_nss: extracts untrusted certificates to trust bundle >Confidential: no >Severity: critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Sep 04 13:10:13 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Matthias Andree >Release: FreeBSD 8.2-STABLE amd64 >Organization: >Environment: System: FreeBSD apollo.emma.line.org 8.2-STABLE FreeBSD 8.2-STABLE #14: Tue Aug 30 15:35:18 CEST 2011 toor@apollo.emma.line.org:/usr/obj/usr/src/sys/GENERIC amd64 >Description: The ca-bundle.pl script that versions of ca_root_nss before 3.12.11 downloaded from apache13's mod_ssl would extract ALL certificates into the output bundle regardless of if Mozilla had marked them untrusted in their certdata.txt database. As a consequence, those untrusted certification authorities were trusted by GnuTLS or OpenSSL when these libraries were loaded with the CA bundle generated by older ca-bundle.pl versions. A new 3.12.11 version of ca_root_nss will use its own script that heeds _UNTRUSTED markers. >How-To-Repeat: >Fix: about to be committed >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1R0CPx-000G9W-RK>