Fedora 21 Update: ca-certificates-2014.2.1-1.1.fc21

updates at fedoraproject.org updates at fedoraproject.org
Sat Sep 27 09:59:11 UTC 2014 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2014-11172
2014-09-24 15:23:55
--------------------------------------------------------------------------------

Name        : ca-certificates
Product     : Fedora 21
Version     : 2014.2.1
Release     : 1.1.fc21
URL         : http://www.mozilla.org/
Summary     : The Mozilla CA root certificate bundle
Description :
This package contains the set of CA certificates chosen by the
Mozilla Foundation for use with the Internet PKI.

--------------------------------------------------------------------------------
Update Information:

The upstream Mozilla CA certificates list version 2.1, as released by Mozilla with NSS 3.16.4, removed trust for several old roots, which are considered to have weak keys.

The related upstream bugs are:
https://bugzilla.mozilla.org/show_bug.cgi?id=936304
https://bugzilla.mozilla.org/show_bug.cgi?id=986005

Unfortunately we see issues with software that uses OpenSSL/GnuTLS after these removals with many popular web sites.

The issue (or one out of several possible issues) is that web sites may be configured to send multiple intermediate CA certificates, intended for maximum compatibility with client software. One intermediate points to one of the removed CA certificates, and another second points to a newer root. The problem is that OpenSSL/GnuTLS don't search for an alternative trusted root, after being unable to construct a trust chain for the topmost intermediate CA certificate sent by the servers.

In order to allow more time to implement enhancements or workarounds, the CA-certificates package will temporarily add back trust to the related root CA certificates.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1144767 - login error for live and yahoo account
        https://bugzilla.redhat.com/show_bug.cgi?id=1144767
  [ 2 ] Bug #1144808 - Temporarily re-enable several weak CA certificates until a better solution for openssl/gnutls can be found
        https://bugzilla.redhat.com/show_bug.cgi?id=1144808
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update ca-certificates' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list