Fedora 20 Update: ca-certificates-2014.2.1-1.5.fc20

updates at fedoraproject.org updates at fedoraproject.org
Sat Dec 13 09:34:38 UTC 2014 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-15533
2014-11-22 11:34:50
--------------------------------------------------------------------------------

Name        : ca-certificates
Product     : Fedora 20
Version     : 2014.2.1
Release     : 1.5.fc20
URL         : http://www.mozilla.org/
Summary     : The Mozilla CA root certificate bundle
Description :
This package contains the set of CA certificates chosen by the
Mozilla Foundation for use with the Internet PKI.

--------------------------------------------------------------------------------
Update Information:

This is an update to CA certificates version 2.1, as released by Mozilla in NSS versions 3.16.4 and 3.17.

Several CA certificates with a weak key size of 1024-bits have been removed by Mozilla, prior to their expiration. (It is expected that additional CA certificates with weak 1024-bit keys will be removed in future releases.)

Unfortunately we see issues with software that uses OpenSSL/GnuTLS after these removals with many popular web sites. The issue (or one out of several possible issues) is that web sites may be configured to send multiple intermediate CA certificates, intended for maximum compatibility with client software. One intermediate points to one of the removed CA certificates, and another intermediate points to a newer root. The problem is that OpenSSL/GnuTLS don't search for an alternative trusted root, after being unable to construct a trust chain for the topmost intermediate CA certificate sent by the servers.

In order to allow more time to implement enhancements or workarounds, the CA-certificates package will keep trust for the related root CA certificates, by default. See rhbz#1144808 for additional information. The related upstream bugs are: https://bugzilla.mozilla.org/show_bug.cgi?id=936304 https://bugzilla.mozilla.org/show_bug.cgi?id=986005

In addition, this update introduces the ca-legacy utility and a ca-legacy.conf configuration file. Using the new ca-legacy utility, it is possible to opt-in to disable the trust for the legacy root CA certificates, by executing the command "ca-legacy disable".

If disabled, the system will use the trust set as provided by the upstream Mozilla CA list, and as a consequence software based on OpenSSL/GnuTLS might fail to validate affected certificates. (See also: rhbz#1158197)

More information about the affected CA certificates and other recent modifications can be found in the upstream NSS release notes for version 3.16.3 at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes with amendments to the changes as explained in the NSS release notes for version 3.16.4 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.4_release_notes

--------------------------------------------------------------------------------
ChangeLog:

* Thu Nov 20 2014 Kai Engert <kaie at redhat.com> - 2014.2.1-1.5
- Introduce the ca-legacy utility and a ca-legacy.conf configuration file.
  By default, legacy roots required for OpenSSL/GnuTLS compatibility
  are kept enabled. Using the ca-legacy utility, the legacy roots can be
  disabled. If disabled, the system will use the trust set as provided
  by the upstream Mozilla CA list. (See also: rhbz#1158197)
- Includes the fixes for rhbz#1158343
* Sun Sep 21 2014 Kai Engert <kaie at redhat.com> - 2014.2.1-1.1
- Temporarily re-enable several legacy root CA certificates because of
  compatibility issues with software based on OpenSSL/GnuTLS,
  see rhbz#1144808
* Thu Aug 14 2014 Kai Engert <kaie at redhat.com> - 2014.2.1-1.0
- Update to CKBI 2.1 from NSS 3.16.4
- Fix rhbz#1130226
* Wed Mar 19 2014 Kai Engert <kaie at redhat.com> - 2013.1.97-1
- Update to CKBI 1.97 from NSS 3.16
- Remove openjdk build dependency
* Thu Jan  9 2014 Kai Engert <kaie at redhat.com> - 2013.1.96-1
- Update to CKBI 1.96 from NSS 3.15.4
* Tue Dec 17 2013 Kai Engert <kaie at redhat.com> - 2013.1.95-1
- Update to CKBI 1.95 from NSS 3.15.3.1
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1158197 - Allow disabling of legacy root CA certificates as a system configuration
        https://bugzilla.redhat.com/show_bug.cgi?id=1158197
  [ 2 ] Bug #1130226 - Ensure neutral-trust CA certificates will be loaded by p11-kit-trust
        https://bugzilla.redhat.com/show_bug.cgi?id=1130226
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update ca-certificates' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list