The ca-bundle.pl script that versions of ca_root_nss before 3.12.11 downloaded from apache13's mod_ssl would extract ALL certificates into the output bundle regardless of if Mozilla had marked them untrusted in their certdata.txt database. As a consequence, those untrusted certification authorities were trusted by GnuTLS or OpenSSL when these libraries were loaded with the CA bundle generated by older ca-bundle.pl versions. A new 3.12.11 version of ca_root_nss will use its own script that heeds _UNTRUSTED markers. Fix: about to be committed
Responsible Changed From-To: freebsd-ports-bugs->brooks Over to maintainer (via the GNATS Auto Assign Tool)
mandree 2011-09-04 13:14:22 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: Revise nss/ca_root_nss working around Mozilla, limit ca_root_nss vuln to < 3.12.11 from <= 3.12.11. Add a new entry for the ca_root_nss bug that caused extraction of untrusted certificates to the trust bundle. PR: ports/160455 Revision Changes Path 1.2434 +36 -3 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed I have already handled the problem with a commit to ca_root_nss ver 3.12.11.
Responsible Changed From-To: brooks->mandree I have already handled the problem with a commit to ca_root_nss ver 3.12.11.