Ubuntu
firefox package

Blacklist fraudulent UTN-USERFirst-Hardware certificates

Bug #741729 reported by giff gill on 2011-03-24

260

This bug affects 2 people

	Status	Importance	Assigned to
ca-certificates	New	Undecided	auto-team
ca-certificates (Debian)	New	Undecided	Unassigned
ca-certificates (Ubuntu)	Won't Fix	Undecided	Unassigned
Hardy	Won't Fix	Undecided	Unassigned
Karmic	Won't Fix	Undecided	Unassigned
Lucid	Won't Fix	Undecided	Unassigned
Maverick	Won't Fix	Undecided	Unassigned
Natty	Won't Fix	Undecided	Unassigned
firefox (Ubuntu)	Fix Released	Undecided	Micah Gersten
Hardy	Invalid	Undecided	Unassigned
Karmic	Won't Fix	Undecided	Unassigned
Lucid	Won't Fix	Undecided	Micah Gersten
Maverick	Won't Fix	Undecided	Micah Gersten
Natty	Fix Released	Undecided	Micah Gersten
nss (Ubuntu)	Fix Released	Undecided	Chris Coulson
Hardy	Fix Released	Medium	Micah Gersten
Karmic	Fix Released	Undecided	Unassigned
Lucid	Fix Released	Undecided	Unassigned
Maverick	Fix Released	Undecided	Unassigned
Natty	Fix Released	Undecided	Chris Coulson
qt4-x11 (Ubuntu)	Invalid	Undecided	Unassigned
Hardy	Invalid	Undecided	Unassigned
Karmic	Invalid	Undecided	Unassigned
Lucid	Invalid	Undecided	Unassigned
Maverick	Invalid	Undecided	Unassigned
Natty	Invalid	Undecided	Unassigned

Bug Description

Binary package hint: firefox

Blacklist fraudulent UTN-USERFirst-Hardware certificates

http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/
https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
Fixed upstream in 3.6.16 and 4.0

for nss: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/de5774217cc33669#

Other packages are affected as well, e.g. ca-certificates, openssl, kdelibs, qt-x11, Java...?
and everything that depends on those: epiphany, konqueror, rekonq, wget, curl...

See original description

Related branches

lp:~mozillateam/nss/nss.hardy

lp:~mozillateam/nss/nss.karmic

lp:~mozillateam/nss/nss.lucid

lp:~mozillateam/nss/nss.maverick

lp:ubuntu/hardy-security/nss

lp:ubuntu/karmic-security/nss

lp:ubuntu/lucid-security/nss

lp:ubuntu/maverick-security/nss

giff gill (giffgilll-deactivatedaccount) on 2011-03-24

visibility:

private → public

giff gill (giffgilll-deactivatedaccount) on 2011-03-24

description:	updated
summary:	- Blocking Fraudulent Certificates + Blacklist fraudulent UTN-USERFirst-Hardware certificates

giff gill (giffgilll-deactivatedaccount) on 2011-03-24

description:

updated

giff gill (giffgilll-deactivatedaccount) on 2011-03-24

description:

updated

Revision history for this message

Paul Bryan (pbryan) wrote on 2011-03-24:

Does Ubuntu have a working group to determine which certificates should be included in its distributed software?

giff gill (giffgilll-deactivatedaccount) on 2011-03-24

description:

updated

Revision history for this message

giff gill (giffgilll-deactivatedaccount) wrote on 2011-03-24:

As I understand it the debian ca-certificates is shipped more or less unmodified so no
also Bug #103074

giff gill (giffgilll-deactivatedaccount) on 2011-03-24

description:

updated

giff gill (giffgilll-deactivatedaccount) on 2011-03-25

description:

updated

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-03-25:

Firefox was fixed yesterday: https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-March/001283.html

Changed in firefox (Ubuntu):
assignee:	nobody → Micah Gersten (micahg)
status:	New → Fix Released
Changed in kdelibs (Ubuntu):
assignee:	nobody → Micah Gersten (micahg)
status:	New → In Progress
Changed in nss (Ubuntu):
assignee:	nobody → Micah Gersten (micahg)
status:	New → In Progress
Changed in ca-certificates (Ubuntu):
status:	New → Triaged

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-03-25:

3.12.9+ckbi-1.82-0ubuntu1 uploaded to Natty.

Changed in nss (Ubuntu):
assignee:	Micah Gersten (micahg) → Chris Coulson (chrisccoulson)
status:	In Progress → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-03-25:

qt4-x11 is being tracked in bug #742377.

affects:	kdelibs (Ubuntu) → qt4-x11 (Ubuntu)
Changed in qt4-x11 (Ubuntu):
assignee:	Micah Gersten (micahg) → nobody
status:	In Progress → Invalid

Micah Gersten (micahg) on 2011-03-28

Changed in firefox (Ubuntu Hardy):
status:	New → Invalid
Changed in nss (Ubuntu Hardy):
assignee:	nobody → Micah Gersten (micahg)
importance:	Undecided → Medium
status:	New → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-04-06:

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu0.8.04.1

---------------
nss (3.12.9+ckbi-1.82-0ubuntu0.8.04.1) hardy-security; urgency=low

  * New upstream release v3.12.9 with updated ckbi module
    (NSS_3_12_9_WITH_CKBI_1_82_RTM)
    - SECURITY UPDATE: Update "builtin certificates" module (ckbi) to
      explicitly mark the recently issued and revoked fraudulent certificates
      as explicitly not trusted; NSS will report SEC_ERROR_UNTRUSTED_CERT when
      attempting to verify one of these fraudulent certificates (LP: #741729)
  * Add new symbols
    - update debian/libnss3-1d.symbols
-- Micah Gersten <email address hidden> Mon, 28 Mar 2011 03:30:20 -0500

Changed in nss (Ubuntu Hardy):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-04-06:

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu0.10.04.1

---------------
nss (3.12.9+ckbi-1.82-0ubuntu0.10.04.1) lucid-security; urgency=low

Changed in nss (Ubuntu Lucid):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-04-06:

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu0.10.10.1

---------------
nss (3.12.9+ckbi-1.82-0ubuntu0.10.10.1) maverick-security; urgency=low

Changed in nss (Ubuntu Maverick):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-04-06:

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu0.9.10.1

---------------
nss (3.12.9+ckbi-1.82-0ubuntu0.9.10.1) karmic-security; urgency=low

Changed in nss (Ubuntu Karmic):
status:	New → Fix Released

Jamie Strandboge (jdstrand) on 2011-04-15

Changed in ca-certificates (Ubuntu Natty):
status:	Triaged → Won't Fix

Revision history for this message

Micah Gersten (micahg) wrote on 2011-04-15:

#10

Marking tasks as Won't Fix for now since ca-certificates has no blacklist functionality at the moment and we don't want to diverge from Debian. If Debian adds this functionality, we will revisit this.

Changed in ca-certificates (Ubuntu Maverick):
status:	New → Won't Fix
Changed in ca-certificates (Ubuntu Lucid):
status:	New → Won't Fix
Changed in ca-certificates (Ubuntu Karmic):
status:	New → Won't Fix
Changed in ca-certificates (Ubuntu Hardy):
status:	New → Invalid
status:	Invalid → Won't Fix

Revision history for this message

Micah Gersten (micahg) wrote on 2011-04-15:

#11

qt4-x11 was fixed in bug #742377

Changed in qt4-x11 (Ubuntu Maverick):
status:	New → Invalid
Changed in qt4-x11 (Ubuntu Lucid):
status:	New → Invalid
Changed in qt4-x11 (Ubuntu Karmic):
status:	New → Invalid
Changed in qt4-x11 (Ubuntu Hardy):
status:	New → Invalid

Micah Gersten (micahg) on 2011-04-15

Changed in ca-certificates (Ubuntu):
status:	Triaged → Won't Fix

Revision history for this message

jochen (jbecker) wrote on 2011-04-15: Re: [Bug 741729] unsubscribe

#12

how can i unsubscribe this ?

greatings
jochen

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-10-14:

#13

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in firefox (Ubuntu Karmic):
status:	New → Won't Fix

Jamie Strandboge (jdstrand) on 2011-12-13

Changed in firefox (Ubuntu Lucid):
status:	New → Triaged
assignee:	nobody → Micah Gersten (micahg)
Changed in firefox (Ubuntu Maverick):
status:	New → Triaged
assignee:	nobody → Micah Gersten (micahg)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-04-13:

#14

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in firefox (Ubuntu Maverick):
status:	Triaged → Won't Fix

Revision history for this message

Rolf Leggewie (r0lf) wrote on 2015-06-17:

#15

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in firefox (Ubuntu Lucid):
status:	Triaged → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-team Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntufirefox package

Blacklist fraudulent UTN-USERFirst-Hardware certificates

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
firefox package