Mantis - openssl
Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
4822 packaging major N/A 2011-09-14 13:47 2012-04-21 01:06
Reporter: bwalton Platform:  
Assigned To: yann OS:  
Priority: normal OS Version:  
Status: closed Product Version:  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version:  
Summary: 0004822: CA Compromise
Description: If we are distributing the certificates for DigiNotar, it might be wise to unpackage it as they've been compromised quite badly.
Steps To Reproduce:
Additional Information: http://www.net-security.org/secworld.php?id=11565 [^]
Relationships
Attached Files:
Issue History
Date Modified Username Field Change
2011-09-14 13:47 bwalton New Issue
2011-09-19 22:35 yann Note Added: 0009282
2011-09-19 22:35 yann Assigned To => yann
2011-09-19 22:35 yann Status new => acknowledged
2012-02-05 10:32 yann Note Added: 0009578
2012-02-05 10:32 yann Status acknowledged => resolved
2012-02-05 10:32 yann Resolution open => fixed
2012-04-21 01:06 yann Status resolved => closed

Notes
(0009282)
yann   
2011-09-19 22:35   
We do not distribute CA in the openssl package but in the ca_certificates package, however I think it's wise to do as Debian and blacklist the DigiNotar CA in openssl itself so I am currently rebuilding openssl with some code borrowed from a Debian patch to blacklist DigiNotar whatever the CA configured with openssl.
(0009578)
yann   
2012-02-05 10:32   
The CA has been removed from the CA certificate package and openssl has been patched to blacklist this certificate.

I am closing this bug.