Bug 160455

Summary: security/ca_root_nss: extracts untrusted certificates to trust bundle
Product: Ports & Packages Reporter: Matthias Andree <mandree>
Component: Individual Port(s)Assignee: Matthias Andree <mandree>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Matthias Andree freebsd_committer freebsd_triage 2011-09-04 14:10:13 UTC 
The ca-bundle.pl script that versions of ca_root_nss before 3.12.11
downloaded from apache13's mod_ssl would extract ALL certificates into
the output bundle regardless of if Mozilla had marked them untrusted in
their certdata.txt database.

As a consequence, those untrusted certification authorities were trusted
by GnuTLS or OpenSSL when these libraries were loaded with the CA bundle
generated by older ca-bundle.pl versions.

A new 3.12.11 version of ca_root_nss will use its own script that heeds
_UNTRUSTED markers.

Fix: 

about to be committed
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2011-09-04 14:10:36 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->brooks

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer freebsd_triage 2011-09-04 14:14:36 UTC 
mandree     2011-09-04 13:14:22 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  Revise nss/ca_root_nss working around Mozilla,
  limit ca_root_nss vuln to < 3.12.11 from <= 3.12.11.
  
  Add a new entry for the ca_root_nss bug that caused extraction of untrusted
  certificates to the trust bundle.
  
  PR: ports/160455
  
  Revision  Changes    Path
  1.2434    +36 -3     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Matthias Andree freebsd_committer freebsd_triage 2011-09-04 14:15:21 UTC 
State Changed
From-To: open->closed

I have already handled the problem with a commit to ca_root_nss ver 3.12.11.
Comment 4 Matthias Andree freebsd_committer freebsd_triage 2011-09-04 14:15:21 UTC 
Responsible Changed
From-To: brooks->mandree

I have already handled the problem with a commit to ca_root_nss ver 3.12.11.