openjdk team mailing list archive

Thread
Date
[Bug 1258286] Re: CAcert should not be trusted by default

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1258286@xxxxxxxxxxxxxxxxxx>
Date: Wed, 02 Apr 2014 17:19:26 -0000
Reply-to: Bug 1258286 <1258286@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package nss - 3.15.4-0ubuntu0.12.04.2

---------------
nss (3.15.4-0ubuntu0.12.04.2) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect IDNA wildcard handling
    - debian/patches/CVE-2014-1492.patch: conform to RFC 6125 in
      nss/lib/certdb/certdb.c.
    - CVE-2014-1492
  * No longer ship cacert.org certificates. (LP: #1258286)
    - removed debian/patches/95_add_spi+cacert_ca_certs.patch
    - added debian/patches/95_add_spi_certs.patch
 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>   Wed, 02 Apr 2014 10:22:10 -0400

** Changed in: nss (Ubuntu Precise)
       Status: New => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-1492

** Changed in: nss (Ubuntu Quantal)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/1258286

Title:
  CAcert should not be trusted by default

Status in “ca-certificates” package in Ubuntu:
  Fix Released
Status in “ca-certificates-java” package in Ubuntu:
  Fix Released
Status in “nss” package in Ubuntu:
  Fix Released
Status in “ca-certificates” source package in Lucid:
  Fix Released
Status in “ca-certificates-java” source package in Lucid:
  New
Status in “nss” source package in Lucid:
  New
Status in “ca-certificates” source package in Precise:
  Fix Released
Status in “ca-certificates-java” source package in Precise:
  New
Status in “nss” source package in Precise:
  Fix Released
Status in “ca-certificates” source package in Quantal:
  Fix Released
Status in “ca-certificates-java” source package in Quantal:
  New
Status in “nss” source package in Quantal:
  Fix Released
Status in “ca-certificates” source package in Saucy:
  Fix Released
Status in “ca-certificates-java” source package in Saucy:
  New
Status in “nss” source package in Saucy:
  Fix Released
Status in “ca-certificates” source package in Trusty:
  Fix Released
Status in “ca-certificates-java” source package in Trusty:
  Fix Released
Status in “nss” source package in Trusty:
  Fix Released
Status in “ca-certificates” package in Debian:
  Fix Released
Status in “ca-certificates-java” package in Debian:
  Fix Released

Bug description:
  Ubuntu is one of the few distributions shipping CAcert as a trusted
  certificate. Many distributions are considering[1] whether to remove
  CAcert, and Mozilla closed the RFE[2] for CAcert in 2008, which was
  opened in 2003.

  Concerns were expressed about CAcert's code quality[3], and their
  audit appears to be stalled.

  In the past, it appears that Ubuntu disabled[4] CAcert, but this is no
  longer the case. It may be wise to do so again.

  [1]:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#50
  [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=215243
  [3]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#45
  [4]: http://wiki.cacert.org/InclusionStatus?highlight=Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1258286/+subscriptions