fraudulent DigiNotar certificate issuance

Bug #837557 reported by Micah Gersten
284
This bug affects 6 people
Affects Status Importance Assigned to Milestone
ca-certificates (Debian)
Fix Released
Unknown
ca-certificates (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Fix Released
Medium
Micah Gersten
Maverick
Fix Released
Medium
Micah Gersten
Natty
Fix Released
Medium
Micah Gersten
Oneiric
Fix Released
Medium
Jamie Strandboge
chromium-browser (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned
Natty
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
Undecided
Unassigned
firefox (Ubuntu)
Fix Released
Medium
Chris Coulson
Lucid
Fix Released
Medium
Micah Gersten
Maverick
Fix Released
Medium
Micah Gersten
Natty
Fix Released
Medium
Micah Gersten
Oneiric
Fix Released
Medium
Chris Coulson
nss (Ubuntu)
Fix Released
Medium
Micah Gersten
Lucid
Fix Released
Medium
Micah Gersten
Maverick
Fix Released
Medium
Micah Gersten
Natty
Fix Released
Medium
Micah Gersten
Oneiric
Fix Released
Medium
Micah Gersten
qt4-x11 (Ubuntu)
Fix Released
Medium
Didier Roche-Tolomelli
Lucid
Fix Released
Medium
Micah Gersten
Maverick
Fix Released
Medium
Micah Gersten
Natty
Fix Released
Medium
Micah Gersten
Oneiric
Fix Released
Medium
Didier Roche-Tolomelli
seamonkey (Ubuntu)
Confirmed
Undecided
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
Maverick
Won't Fix
Undecided
Unassigned
Natty
Won't Fix
Undecided
Unassigned
Oneiric
Won't Fix
Undecided
Unassigned
thunderbird (Ubuntu)
Fix Released
Medium
Chris Coulson
Lucid
Fix Released
Medium
Micah Gersten
Maverick
Fix Released
Medium
Micah Gersten
Natty
Fix Released
Medium
Micah Gersten
Oneiric
Fix Released
Medium
Chris Coulson
xulrunner-1.9.2 (Ubuntu)
Invalid
Medium
Unassigned
Lucid
Fix Released
Medium
Micah Gersten
Maverick
Fix Released
Medium
Micah Gersten
Natty
Fix Released
Medium
Unassigned
Oneiric
Invalid
Medium
Unassigned

Bug Description

USN Information: This is being tracked in USN-1197-*

NOTE: The Firefox update causes a regression for certain Dutch sites which is being tracked in Bug #838322.
NOTE #2: The current update for Thunderbird still shows the DigiNotar Root CA as trusted in the certificate manager. This is due to Thunderbird using the system version of NSS. In this initial update, Thunderbird will actively distrust any certificate signed by the DigiNotar Root CA. Future updates will properly show the root CA as distrusted in the certificate manager.

WORKAROUND (from blog post):
http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

-------------------------------------------------

http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

Qt 4.7 blog post: http://labs.qt.nokia.com/2011/09/07/what-the-diginotar-security-breach-means-for-qt-users-continued/

Related branches

Micah Gersten (micahg)
visibility: private → public
Changed in firefox (Ubuntu Maverick):
importance: Undecided → Medium
Changed in firefox (Ubuntu Natty):
importance: Undecided → Medium
Changed in firefox (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in thunderbird (Ubuntu Maverick):
importance: Undecided → Medium
Changed in thunderbird (Ubuntu Natty):
importance: Undecided → Medium
Changed in thunderbird (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in firefox (Ubuntu Maverick):
assignee: nobody → Micah Gersten (micahg)
Changed in firefox (Ubuntu Natty):
assignee: nobody → Micah Gersten (micahg)
Changed in firefox (Ubuntu Oneiric):
assignee: nobody → Micah Gersten (micahg)
Changed in thunderbird (Ubuntu Maverick):
assignee: nobody → Micah Gersten (micahg)
Changed in thunderbird (Ubuntu Natty):
assignee: nobody → Micah Gersten (micahg)
Changed in thunderbird (Ubuntu Oneiric):
assignee: nobody → Micah Gersten (micahg)
Changed in firefox (Ubuntu Maverick):
status: New → In Progress
Changed in firefox (Ubuntu Natty):
status: New → In Progress
Changed in firefox (Ubuntu Oneiric):
status: New → In Progress
Changed in thunderbird (Ubuntu Maverick):
status: New → In Progress
Changed in thunderbird (Ubuntu Natty):
status: New → In Progress
Changed in thunderbird (Ubuntu Oneiric):
status: New → In Progress
Micah Gersten (micahg)
Changed in firefox (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Changed in thunderbird (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Changed in thunderbird (Ubuntu Oneiric):
assignee: Micah Gersten (micahg) → Chris Coulson (chrisccoulson)
Changed in firefox (Ubuntu Oneiric):
assignee: Micah Gersten (micahg) → Chris Coulson (chrisccoulson)
Micah Gersten (micahg)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 7.0~b3+build1+nobinonly-0ubuntu1

---------------
firefox (7.0~b3+build1+nobinonly-0ubuntu1) oneiric; urgency=low

  * New upstream release from the beta channel (FIREFOX_7_0b3_BUILD1)
    - LP: #837557
 -- Chris Coulson <email address hidden> Tue, 30 Aug 2011 19:15:51 +0100

Changed in firefox (Ubuntu Oneiric):
status: In Progress → Fix Released
Revision history for this message
Micah Gersten (micahg) wrote :

Marking natty triaged since xulrunner is no longer part of the default install in natty.

Changed in xulrunner-1.9.2 (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Changed in xulrunner-1.9.2 (Ubuntu Maverick):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Changed in xulrunner-1.9.2 (Ubuntu Natty):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Micah Gersten (micahg) wrote :

Oneiric is invalid as xulrunner is no longer in the distro

Changed in xulrunner-1.9.2 (Ubuntu Oneiric):
importance: Undecided → Medium
status: New → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 3.6.21+build1+nobinonly-0ubuntu0.10.04.1

---------------
firefox (3.6.21+build1+nobinonly-0ubuntu0.10.04.1) lucid-security; urgency=low

  * New upstream release v3.6.21 (FIREFOX_3_6_21_BUILD1)
    - Distrust and disable DigiNotar Root CA due to fraudulent certificate
      issuance (LP: #837557)
 -- Micah Gersten <email address hidden> Tue, 30 Aug 2011 13:56:17 -0500

Changed in firefox (Ubuntu Lucid):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xulrunner-1.9.2 - 1.9.2.21+build1+nobinonly-0ubuntu0.10.04.1

---------------
xulrunner-1.9.2 (1.9.2.21+build1+nobinonly-0ubuntu0.10.04.1) lucid-security; urgency=low

  * New upstream release v1.9.2.21 (FIREFOX_3_6_21_BUILD1)
    - Distrust and disable DigiNotar Root CA due to fraudulent certificate
      issuance (LP: #837557)
 -- Micah Gersten <email address hidden> Wed, 31 Aug 2011 00:37:50 -0500

Changed in xulrunner-1.9.2 (Ubuntu Lucid):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 3.6.21+build1+nobinonly-0ubuntu0.10.10.1

---------------
firefox (3.6.21+build1+nobinonly-0ubuntu0.10.10.1) maverick-security; urgency=low

  * New upstream release v3.6.21 (FIREFOX_3_6_21_BUILD1)
    - Distrust and disable DigiNotar Root CA due to fraudulent certificate
      issuance (LP: #837557)
 -- Micah Gersten <email address hidden> Tue, 30 Aug 2011 13:59:36 -0500

Changed in firefox (Ubuntu Maverick):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xulrunner-1.9.2 - 1.9.2.21+build1+nobinonly-0ubuntu0.10.10.1

---------------
xulrunner-1.9.2 (1.9.2.21+build1+nobinonly-0ubuntu0.10.10.1) maverick-security; urgency=low

  * New upstream release v1.9.2.21 (FIREFOX_3_6_21_BUILD1)
    - Distrust and disable DigiNotar Root CA due to fraudulent certificate
      issuance (LP: #837557)
 -- Micah Gersten <email address hidden> Wed, 31 Aug 2011 00:38:08 -0500

Changed in xulrunner-1.9.2 (Ubuntu Maverick):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 6.0.1+build1+nobinonly-0ubuntu0.11.04.1

---------------
firefox (6.0.1+build1+nobinonly-0ubuntu0.11.04.1) natty-security; urgency=low

  * New upstream stable release (FIREFOX_6_0_1_BUILD1)
    - Distrust and disable DigiNotar Root CA due to fraudulent certificate
      issuance (LP: #837557)
 -- Micah Gersten <email address hidden> Tue, 30 Aug 2011 13:56:51 -0500

Changed in firefox (Ubuntu Natty):
status: In Progress → Fix Released
Micah Gersten (micahg)
summary: - Fraudulent *.google.com Certificate
+ fraudulent DigiNotar certificate issuance
Micah Gersten (micahg)
Changed in ca-certificates (Ubuntu Natty):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Micah Gersten (micahg)
Changed in ca-certificates (Ubuntu Maverick):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Anonymous (sjklfjalkfsakl) wrote :

Also affects SeaMonkey (https://launchpad.net/ubuntu/+source/seamonkey). Please update SeaMonkey to version 2.3.2 so that this problem can be prevented there too. SeaMonkey version 2.3.2 erroneously identifies itself as version 2.3.1 (see https://bugzilla.mozilla.org/show_bug.cgi?id=683473). If you need to check that it's really 2.3.2 and not 2.3.1, go to https://www.diginotar.nl/ or to any other page signed by Diginotar. Version 2.3.1 will display the page without complaining whereas 2.3.2 will complain that the site is insecure.

Revision history for this message
Anonymous (sjklfjalkfsakl) wrote :

As you might have seen at Mozilla's Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=683449), the current Gecko fixes block too much, so there will soon be another update to the mentioned Gecko products, presumably requiring action in Ubuntu too.

Revision history for this message
Olivier Mengué (dolmen) wrote :

The proposed workaround is only for Firefox.
What about other applications that may access Google services on a Ubuntu system?
Can we simply "sudo rm /etc/ssl/certs/DigiNotar_Root_CA.pem" ?

Revision history for this message
Laurent Bigonville (bigon) wrote :

debian has released ca-certificates version 20110502+nmu1 that fix this

Changed in ca-certificates (Debian):
status: Unknown → Fix Released
Revision history for this message
Micah Gersten (micahg) wrote :

@Olivier Mengué
I am working on updates for NSS and ca-certificates to address this system wide.

@Anonymous
Seamonkey is currently not in a good state, but I will try to get an update for it eventually. In the mean time, the NSS update should take care of this security issue for most use cases.

description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

[Updating] ca-certificates (20110502 [Ubuntu] < 20110502+nmu1 [Debian])
 * Trying to add ca-certificates...
2011-09-01 15:47:52 INFO - <ca-certificates_20110502+nmu1.dsc: downloading from http://ftp.debian.org/debian/>
2011-09-01 15:47:52 INFO - <ca-certificates_20110502+nmu1.tar.gz: downloading from http://ftp.debian.org/debian/>
I: ca-certificates [main] -> ca-certificates_20110502 [main].

Changed in ca-certificates (Ubuntu Oneiric):
status: New → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

2011-09-01 15:48:25 INFO - <ca-certificates_20110502+nmu1.dsc: cached>
2011-09-01 15:48:25 INFO - <ca-certificates_20110502+nmu1.tar.gz: cached>
[Updating] ca-certificates (20110502 [Ubuntu] < 20110502+nmu1 [Debian])
 * Trying to add ca-certificates...
I: ca-certificates [main] -> ca-certificates_20110502 [main].

Changed in nss (Ubuntu Oneiric):
status: New → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

2011-09-01 15:48:59 INFO - <ca-certificates_20110502+nmu1.dsc: cached>
2011-09-01 15:48:59 INFO - <ca-certificates_20110502+nmu1.tar.gz: cached>
[Updating] ca-certificates (20110502 [Ubuntu] < 20110502+nmu1 [Debian])
 * Trying to add ca-certificates...
I: ca-certificates [main] -> ca-certificates_20110502 [main].

Changed in qt4-x11 (Ubuntu Oneiric):
status: New → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

2011-09-01 15:49:34 INFO - <ca-certificates_20110502+nmu1.dsc: cached>
2011-09-01 15:49:34 INFO - <ca-certificates_20110502+nmu1.tar.gz: cached>
[Updating] ca-certificates (20110502 [Ubuntu] < 20110502+nmu1 [Debian])
 * Trying to add ca-certificates...
I: ca-certificates [main] -> ca-certificates_20110502 [main].

Changed in thunderbird (Ubuntu Oneiric):
status: In Progress → Fix Released
status: Fix Released → In Progress
Changed in qt4-x11 (Ubuntu Oneiric):
status: Fix Released → New
Changed in nss (Ubuntu Oneiric):
status: Fix Released → New
Changed in ca-certificates (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in qt4-x11 (Ubuntu Maverick):
status: New → Invalid
Changed in qt4-x11 (Ubuntu Natty):
status: New → Invalid
Changed in qt4-x11 (Ubuntu Oneiric):
status: New → Invalid
Changed in ca-certificates (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Changed in ca-certificates (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in qt4-x11 (Ubuntu Lucid):
status: New → Confirmed
Changed in nss (Ubuntu Lucid):
status: New → Confirmed
Changed in nss (Ubuntu Maverick):
status: New → Confirmed
Changed in nss (Ubuntu Natty):
status: New → Confirmed
Changed in nss (Ubuntu Oneiric):
status: New → Confirmed
Changed in nss (Ubuntu Lucid):
importance: Undecided → Medium
Changed in nss (Ubuntu Maverick):
importance: Undecided → Medium
Changed in nss (Ubuntu Natty):
importance: Undecided → Medium
Changed in nss (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in qt4-x11 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in nss (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
Changed in nss (Ubuntu Maverick):
assignee: nobody → Micah Gersten (micahg)
Changed in nss (Ubuntu Natty):
assignee: nobody → Micah Gersten (micahg)
Changed in nss (Ubuntu Oneiric):
assignee: nobody → Micah Gersten (micahg)
Changed in nss (Ubuntu Oneiric):
assignee: Micah Gersten (micahg) → nobody
Changed in ca-certificates (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in ca-certificates (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in ca-certificates (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in nss (Ubuntu Lucid):
status: Confirmed → In Progress
Changed in nss (Ubuntu Maverick):
status: Confirmed → In Progress
Changed in nss (Ubuntu Natty):
status: Confirmed → In Progress
Changed in seamonkey (Ubuntu Lucid):
status: New → Confirmed
Changed in seamonkey (Ubuntu Maverick):
status: New → Confirmed
Changed in seamonkey (Ubuntu Natty):
status: New → Confirmed
Changed in seamonkey (Ubuntu Oneiric):
status: New → Confirmed
Changed in chromium-browser (Ubuntu Lucid):
status: New → Confirmed
Changed in chromium-browser (Ubuntu Maverick):
status: New → Confirmed
Changed in chromium-browser (Ubuntu Natty):
status: New → Confirmed
Changed in chromium-browser (Ubuntu):
status: New → Confirmed
Revision history for this message
Micah Gersten (micahg) wrote :

UPDATE:
Unfortunately, the ca-certificates and NSS fixes available at the moment are only a partial fix that won't actually help very much. I'm currently waiting on fixes that should address this issue completely. I will be releasing Thunderbird in a few hours with the same fix that Firefox got which blocks the rogue certificates, but possibly causes a regression for certain Dutch sites (see Description of this bug).

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 3.1.13+build1+nobinonly-0ubuntu0.10.10.1

---------------
thunderbird (3.1.13+build1+nobinonly-0ubuntu0.10.10.1) maverick-security; urgency=low

  * New upstream release v3.1.13 (THUNDERBIRD_3_1_13_BUILD1)
    - Distrust and disable DigiNotar Root CA due to fraudulent certificate
      issuance (LP: #837557)
 -- Micah Gersten <email address hidden> Wed, 31 Aug 2011 00:42:12 -0500

Changed in thunderbird (Ubuntu Maverick):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 3.1.13+build1+nobinonly-0ubuntu0.11.04.1

---------------
thunderbird (3.1.13+build1+nobinonly-0ubuntu0.11.04.1) natty-security; urgency=low

  * New upstream release v3.1.13 (THUNDERBIRD_3_1_13_BUILD1)
    - Distrust and disable DigiNotar Root CA due to fraudulent certificate
      issuance (LP: #837557)
 -- Micah Gersten <email address hidden> Wed, 31 Aug 2011 00:43:28 -0500

Changed in thunderbird (Ubuntu Natty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 3.1.13+build1+nobinonly-0ubuntu0.10.04.1

---------------
thunderbird (3.1.13+build1+nobinonly-0ubuntu0.10.04.1) lucid-security; urgency=low

  * New upstream release v3.1.13 (THUNDERBIRD_3_1_13_BUILD1)
    - Distrust and disable DigiNotar Root CA due to fraudulent certificate
      issuance (LP: #837557)
 -- Micah Gersten <email address hidden> Wed, 31 Aug 2011 00:30:47 -0500

Changed in thunderbird (Ubuntu Lucid):
status: In Progress → Fix Released
Micah Gersten (micahg)
description: updated
Revision history for this message
Peter Hartmann (peter-hartmann-m) wrote :

regarding the Qt bundle: I cannot find the DigiNotar root cert in there, the bundle is really old apparently.
(did:
cd src/network/ssl
csplit -s qt-ca-bundle.crt '/^$/' {*}
for i in $(ls ./xx*); do echo $i; openssl x509 -text -noout -in $i; done|grep -i 'subject:'|grep -i diginotar
... does not yield anything).

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 7.0~b2+build2+nobinonly-0ubuntu1

---------------
thunderbird (7.0~b2+build2+nobinonly-0ubuntu1) oneiric; urgency=low

  * New upstream release from the beta channel (THUNDERBIRD_7_0b2_BUILD2)
    - LP: #837557 and LP: #838322

  * Update globalmenu-extension to 2.0
    - Only update a menu in realtime if it's parent is opening. For all other
      times, just invalidate the menu. Avoids spamming dbus everytime
      something changes in the menu
    - When removing a menuitem from its parent, check that the index is
      in-bounds. Should fix a frequent crash on startup, although it doesn't
      explain how it gets in to that state in the first place
    - Add the ability to turn on debugging without building Firefox with
      debugging on
  * Add upstream patch to only add ENABLE_JIT=1 to CXXFLAGS if any of trace/
    method/yarr jit is enabled. Fixes a build failure on PPC
    - add debian/patches/only-add-ENABLE_JIT-to-CXXFLAGS-if-jit-is-enabled.patch
    - update debian/patches/series
  * Add upstream patch to fix build failure with ENABLE_YARR_JIT=0
    - add debian/patches/build-fix-for-no-ENABLE_YARR_JIT.patch
    - update debian/patches/series
  * Add upstream patch to work around a linker bug
    - add debian/patches/compile-pldhash-as-C++.patch
    - update debian/patches/series
  * Don't pass an empty --mozilla-repo= argument to client.py when creating
    the source tarball without a local cache, as it totally breaks. This is
    why we've got rid of all this in nightly and aurora, so we can avoid
    such bandaids in the first place
    - update debian/mozclient/thunderbird.conf
  * Messagingmenu fixes:
    - Use the libunity5 ABI (LP: #839154)
    - Don't use QueryInterface on objects where we can't guarantee they
      implement a particular interface (LP: #826447)
  * Make sure that thunderbird-gnome-support actually depends on libunity5
    - update debian/rules
  * Update eds extension to r84 from 0.3 branch
    - fixes a shutdown crash
  * Use the latest eds libs for the contacts integration
 -- Chris Coulson <email address hidden> Tue, 06 Sep 2011 00:19:41 +0100

Changed in thunderbird (Ubuntu Oneiric):
status: In Progress → Fix Released
Revision history for this message
Micah Gersten (micahg) wrote :

Just found out Qt 4.7 has a blacklist patch, so reopening tasks fro maverick/natty/oneiric

Changed in qt4-x11 (Ubuntu Maverick):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: Invalid → In Progress
Changed in qt4-x11 (Ubuntu Natty):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: Invalid → In Progress
Changed in qt4-x11 (Ubuntu Oneiric):
importance: Undecided → Medium
status: Invalid → Triaged
description: updated
description: updated
Revision history for this message
Micah Gersten (micahg) wrote :

Didier,
I was told you're doing a qt4-x11 upload, can you include the blacklist patch from the blog post in the Description of this bug?

Changed in qt4-x11 (Ubuntu Oneiric):
assignee: nobody → Didier Roche (didrocks)
Revision history for this message
yamo (stephane-gregoire) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu0.10.04.3

---------------
nss (3.12.9+ckbi-1.82-0ubuntu0.10.04.3) lucid-security; urgency=low

  * SECURITY UPDATE: Add patch from Debian version 3.12.11-3 rebased against
    3.12.9 to remove the DigiNotar certificates and actively distrust them;
    Thanks to Mike Hommey from Debian for the original patch (LP: #837557)
    - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
      Explicitely distrust various DigiNotar CAs:
      - DigiNotar Root CA
      - DigiNotar Services 1024 CA
      - DigiNotar Cyber CA
      - DigiNotar Cyber CA 2nd
      - DigiNotar PKIoverheid
      - DigiNotar PKIoverheid G2
    - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
      Remove DigiNotar Root CA.
 -- Micah Gersten <email address hidden> Wed, 07 Sep 2011 14:53:13 -0500

Changed in nss (Ubuntu Lucid):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu0.10.10.3

---------------
nss (3.12.9+ckbi-1.82-0ubuntu0.10.10.3) maverick-security; urgency=low

  * SECURITY UPDATE: Add patch from Debian version 3.12.11-3 rebased against
    3.12.9 to remove the DigiNotar certificates and actively distrust them;
    Thanks to Mike Hommey from Debian for the original patch (LP: #837557)
    - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
      Explicitely distrust various DigiNotar CAs:
      - DigiNotar Root CA
      - DigiNotar Services 1024 CA
      - DigiNotar Cyber CA
      - DigiNotar Cyber CA 2nd
      - DigiNotar PKIoverheid
      - DigiNotar PKIoverheid G2
    - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
      Remove DigiNotar Root CA.
 -- Micah Gersten <email address hidden> Wed, 07 Sep 2011 14:55:24 -0500

Changed in nss (Ubuntu Maverick):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu2.1

---------------
nss (3.12.9+ckbi-1.82-0ubuntu2.1) natty-security; urgency=low

  * SECURITY UPDATE: Add patch from Debian version 3.12.11-3 rebased against
    3.12.9 to remove the DigiNotar certificates and actively distrust them;
    Thanks to Mike Hommey from Debian for the original patch (LP: #837557)
    - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
      Explicitely distrust various DigiNotar CAs:
      - DigiNotar Root CA
      - DigiNotar Services 1024 CA
      - DigiNotar Cyber CA
      - DigiNotar Cyber CA 2nd
      - DigiNotar PKIoverheid
      - DigiNotar PKIoverheid G2
    - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
      Remove DigiNotar Root CA.
 -- Micah Gersten <email address hidden> Wed, 07 Sep 2011 15:15:37 -0500

Changed in nss (Ubuntu Natty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20090814ubuntu0.10.04.1

---------------
ca-certificates (20090814ubuntu0.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: Blacklist "DigiNotar Root CA" due to fraudulent
    certificate issuance (LP: #837557)
    - update mozilla/blacklist.txt
 -- Micah Gersten <email address hidden> Thu, 01 Sep 2011 11:38:01 -0500

Changed in ca-certificates (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20090814ubuntu0.10.10.1

---------------
ca-certificates (20090814ubuntu0.10.10.1) maverick-security; urgency=low

  * SECURITY UPDATE: Blacklist "DigiNotar Root CA" due to fraudulent
    certificate issuance (LP: #837557)
    - update mozilla/blacklist.txt
 -- Micah Gersten <email address hidden> Thu, 01 Sep 2011 11:42:30 -0500

Changed in ca-certificates (Ubuntu Maverick):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20090814+nmu2ubuntu0.1

---------------
ca-certificates (20090814+nmu2ubuntu0.1) natty-security; urgency=low

  * SECURITY UPDATE: Blacklist "DigiNotar Root CA" due to fraudulent
    certificate issuance (LP: #837557)
    - update mozilla/blacklist.txt
 -- Micah Gersten <email address hidden> Thu, 01 Sep 2011 11:53:21 -0500

Changed in ca-certificates (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.7.4-0ubuntu1

---------------
qt4-x11 (4:4.7.4-0ubuntu1) oneiric; urgency=low

  * New upstream release (LP: #839557, #785318)
  * debian/patches/Add_support_for_QT_USE_DRAG_DISTANCE_env_var.patch,
    debian/patches/a11y_qt_and_qml_backport.diff,
    debian/patches/qtdebug_syslog.patch,
    debian/patches/kubuntu_12_fix_stack_protector.diff,
    debian/patches/kubuntu_28_xi2.1.patch:
    - adapt to new upstream version
  * Fix_GL_problems_on_stock_1.4_SGX_drivers.patch,
    Fixed_missing_text_when_using_static_text_items_in_GL_2_engine.patch,
    Prevent_recursion_when_creating_window_surface.patch,
    kubuntu_24_large_qtreeview.diff,
    kubuntu_27_dbus_signal_filter_passes_not_handled.diff:
    - removed, part of the upstream tarball now
  * debian/patches/kubuntu_15_appmenu.diff:
    - updated to take a version closer to the upstreamed 4.8 one. Is compatible
      with incoming appmenu-qt 0.2.2 (LP: #838115)
  * debian/libqt4-declarative.install:
    - libtcpserver.so has been renamed libqmldbg_tcp.so
  * debian/control, debian/libqt4-declarative-shaders.install:
    - add the new shaders package. Use the same suggests/recommends pattern
      than other declarative-* plugins
  * debian/patches/blacklist-diginotar-certs.diff:
    - add DigiNotar securty breach blacklist (LP: #837557)
 -- Didier Roche <email address hidden> Thu, 08 Sep 2011 11:33:52 +0200

Changed in qt4-x11 (Ubuntu Oneiric):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.12.9+ckbi-1.82-0ubuntu5

---------------
nss (3.12.9+ckbi-1.82-0ubuntu5) oneiric; urgency=low

  * SECURITY UPDATE: Add patch from Debian version 3.12.11-3 rebased against
    3.12.9 to remove the DigiNotar certificates and actively distrust them;
    Thanks to Mike Hommey from Debian for the original patch (LP: #837557)
    - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
      Explicitely distrust various DigiNotar CAs:
      - DigiNotar Root CA
      - DigiNotar Services 1024 CA
      - DigiNotar Cyber CA
      - DigiNotar Cyber CA 2nd
      - DigiNotar PKIoverheid
      - DigiNotar PKIoverheid G2
    - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
      Remove DigiNotar Root CA.
  * Add a symlink from Linux2.6.mk to Linux3.0.mk; This is a temporary hack to
    let NSS build on a 3.0.x kernel
    - update debian/rules
 -- Micah Gersten <email address hidden> Fri, 09 Sep 2011 11:57:13 -0500

Changed in nss (Ubuntu Oneiric):
status: Confirmed → Fix Released
Revision history for this message
Micah Gersten (micahg) wrote :

Lucid, Maverick, and Natty builds of qt4-x11 will be available in ubuntu-security-proposed in several hours for anyone who is interested

Changed in nss (Ubuntu Oneiric):
assignee: nobody → Micah Gersten (micahg)
Changed in qt4-x11 (Ubuntu Maverick):
status: In Progress → Fix Committed
Revision history for this message
Micah Gersten (micahg) wrote :

While Lucid doesn't have the DigiNotar root CA, we can still blacklist like we did for Comodo.

Changed in qt4-x11 (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in qt4-x11 (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
status: Confirmed → Fix Committed
Changed in ca-certificates (Debian):
importance: Unknown → Undecided
status: Fix Released → New
Revision history for this message
Micah Gersten (micahg) wrote :

Please don't change bug watches without a comment.

Changed in ca-certificates (Debian):
importance: Undecided → Unknown
status: New → Unknown
Changed in ca-certificates (Debian):
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.6.2-0ubuntu5.3

---------------
qt4-x11 (4:4.6.2-0ubuntu5.3) lucid-security; urgency=low

  * SECURITY UPDATE: Blacklist Diginotar root and intermediate certificates;
    Fraudulent certificates were mis-issued that could allow an attacker to
    monitor secure communication through a man-in-the-middle (MITM) attack
    - add debian/patches/kubuntu_31_blacklist_ssl_certificates_part2.diff
    - LP: #837557
 -- Micah Gersten <email address hidden> Fri, 09 Sep 2011 18:36:48 -0500

Changed in qt4-x11 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.7.0-0ubuntu4.4

---------------
qt4-x11 (4:4.7.0-0ubuntu4.4) maverick-security; urgency=low

  * SECURITY UPDATE: Blacklist Diginotar root and intermediate certificates;
    Fraudulent certificates were mis-issued that could allow an attacker to
    monitor secure communication through a man-in-the-middle (MITM) attack
    - add debian/patches/kubuntu_31_blacklist_ssl_certificates_part2.diff
    - LP: #837557
 -- Micah Gersten <email address hidden> Fri, 09 Sep 2011 15:43:49 -0500

Changed in qt4-x11 (Ubuntu Maverick):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.7.2-0ubuntu6.3

---------------
qt4-x11 (4:4.7.2-0ubuntu6.3) natty-security; urgency=low

  * SECURITY UPDATE: Blacklist Diginotar root and intermediate certificates;
    Fraudulent certificates were mis-issued that could allow an attacker to
    monitor secure communication through a man-in-the-middle (MITM) attack
    - add debian/patches/kubuntu_31_blacklist_ssl_certificates_part2.diff
    - LP: #837557
 -- Micah Gersten <email address hidden> Fri, 09 Sep 2011 18:27:52 -0500

Changed in qt4-x11 (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Fixed with the recent update to Chromium 14.

Changed in chromium-browser (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in chromium-browser (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in chromium-browser (Ubuntu Maverick):
status: Confirmed → Fix Committed
Changed in chromium-browser (Ubuntu Natty):
status: Confirmed → Fix Committed
Revision history for this message
Micah Gersten (micahg) wrote :

Fixed in 14.0.835.202~r103287-0ubuntu0.10.04.2

Changed in chromium-browser (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Micah Gersten (micahg) wrote :

Fixed in 14.0.835.202~r103287-0ubuntu0.10.10.1

Changed in chromium-browser (Ubuntu Maverick):
status: Fix Committed → Fix Released
Revision history for this message
Micah Gersten (micahg) wrote :

Fixed in 14.0.835.202~r103287-0ubuntu0.11.04.1

Changed in chromium-browser (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xulrunner-1.9.2 - 1.9.2.27+build1+nobinonly-0ubuntu0.11.04.1

---------------
xulrunner-1.9.2 (1.9.2.27+build1+nobinonly-0ubuntu0.11.04.1) natty-security; urgency=low

  * SECURITY UPDATE: New upstream release v1.9.2.27 (FIREFOX_3_6_27_BUILD1)
    See the following for more information:
    - LP: #934073
    - USN-1353-1
    - USN-1251-1
    - USN-1210-1
    - LP: #838322
    - LP: #837557
    - USN-1184-1
    - USN-1149-1
 -- Jamie Strandboge <email address hidden> Fri, 17 Feb 2012 08:04:19 -0600

Changed in xulrunner-1.9.2 (Ubuntu Natty):
status: Triaged → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in seamonkey (Ubuntu Maverick):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in seamonkey (Ubuntu Natty):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in seamonkey (Ubuntu Oneiric):
status: Confirmed → Won't Fix
Changed in seamonkey (Ubuntu Lucid):
status: Confirmed → Won't Fix
Changed in ca-certificates (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
Revision history for this message
Nora Blob (no-rabe) wrote :

Hello I observed this issue in:

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 17.10
Release: 17.10
Codename: artful

I also observed it in a local build from the gentoo repositories. I attached the certs and will open issues at gentoo and mozilla.

Revision history for this message
Nora Blob (no-rabe) wrote :
Revision history for this message
Nora Blob (no-rabe) wrote :
Revision history for this message
Olivier Tilloy (osomon) wrote :

Nora Blob, Ubuntu 17.10 is EOL and not supported any longer. Is the issue present in a supported release of Ubuntu (14.04, 16.04, 18.04, 18.10) or in the current development version (19.04) ?

Revision history for this message
Nora Blob (no-rabe) wrote :

Hello Oliver Tilloy,
I can reproduce this issue in

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic

I created a new profile with firefox -p --new-instance, and get the certificates in the new profile with the new instance. If I delete the certificates they will be in the certificate manager with every new profile.

Revision history for this message
Nora Blob (no-rabe) wrote :

Hello Oliver Tilloy,
can you verify this issue?

Best regrads

Revision history for this message
Olivier Tilloy (osomon) wrote :
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.