Debian Stretch Openstack images changelog 9.12.3-20200608 Updates in 2 source package(s), 6 binary package(s): Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u6) stretch-security; urgency=medium * [CVE-2020-8616]: Fix NXNSATTACK amplification attack on BIND 9 * [CVE-2020-8617]: Fix assertion failure in TSIG processing code Source ca-certificates, binaries: ca-certificates:amd64 ca-certificates:arm64 ca-certificates (20200601~deb9u1) stretch; urgency=medium * Rebuild for stretch. * Merge changes from 20200601 - d/control * This release updates the Mozilla CA bundle to 2.40, blacklists distrusted Symantec roots, and blacklists expired "AddTrust External Root". Closes: #956411, #955038, #911289, #961907 * Fix permissions on /usr/local/share/ca-certificates when using symlinks. Closes: #916833 * Remove email-only roots from mozilla trust store. Closes: #721976 ca-certificates (20200601) unstable; urgency=medium * debian/control: Set Standards-Version: 4.5.0.2 Set Build-Depends: debhelper-compat (= 13) * debian/copyright: Replace tabs in license text * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.40. Closes: #956411, #955038 * mozilla/blacklist.txt Add distrusted Symantec CA list to blacklist for explicit removal. Closes: #911289 Blacklist expired root certificate, "AddTrust External Root" Closes: #961907 The following certificate authorities were added (+): + "Certigna Root CA" + "emSign ECC Root CA - C3" + "emSign ECC Root CA - G3" + "emSign Root CA - C1" + "emSign Root CA - G1" + "Entrust Root Certification Authority - G4" + "GTS Root R1" + "GTS Root R2" + "GTS Root R3" + "GTS Root R4" + "Hongkong Post Root CA 3" + "UCA Extended Validation Root" + "UCA Global G2 Root" The following certificate authorities were removed (-): - "AddTrust External Root" - "Certinomis - Root CA" - "Certplus Class 2 Primary CA" - "Deutsche Telekom Root CA 2" - "GeoTrust Global CA" - "GeoTrust Primary Certification Authority" - "GeoTrust Primary Certification Authority - G2" - "GeoTrust Primary Certification Authority - G3" - "GeoTrust Universal CA" - "thawte Primary Root CA" - "thawte Primary Root CA - G2" - "thawte Primary Root CA - G3" - "VeriSign Class 3 Public Primary Certification Authority - G4" - "VeriSign Class 3 Public Primary Certification Authority - G5" - "VeriSign Universal Root Certification Authority" ca-certificates (20190110) unstable; urgency=high * debian/control: Depend on openssl (>= 1.1.1). Set Standards-Version: 4.3.0.1. Set Build-Depends: debhelper-compat (= 12); drop d/compat Remove trailing whitespace from d/changelog. * debian/ca-certificates.postinst: Fix permissions on /usr/local/share/ca-certificates when using symlinks. Closes: #916833 * sbin/update-ca-certificates: Remove orphan symlinks found in /etc/ssl/certs to prevent `openssl rehash` from exiting with an error. Closes: #895482, #895473 This will also fix removal of user CA certificates from /usr/local without needing to run --fresh. Closes: #911303 * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.28. The following certificate authorities were added (+): + "GlobalSign Root CA - R6" + "OISTE WISeKey Global Root GC CA" The following certificate authorities were removed (-): - "Certplus Root CA G1" - "Certplus Root CA G2" - "OpenTrust Root CA G1" - "OpenTrust Root CA G2" - "OpenTrust Root CA G3" - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" - "Visa eCommerce Root" ca-certificates (20180409) unstable; urgency=medium [ Michael Shuler ] * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.22. The following certificate authorities were added (+): + "GDCA TrustAUTH R5 ROOT" + "SSL.com EV Root Certification Authority ECC" + "SSL.com EV Root Certification Authority RSA R2" + "SSL.com Root Certification Authority ECC" + "SSL.com Root Certification Authority RSA" + "TrustCor ECA-1" + "TrustCor RootCert CA-1" + "TrustCor RootCert CA-2" The following certificate authorities were removed (-): - "ACEDICOM Root" - "AddTrust Low-Value Services Root" - "AddTrust Public Services Root" - "AddTrust Qualified Certificates Root" - "CA Disig Root R1" - "CNNIC ROOT" - "Camerfirma Chambers of Commerce Root" - "Camerfirma Global Chambersign Root" - "Certinomis - Autorité Racine" - "Certum Root CA" - "China Internet Network Information Center EV Certificates Root" - "Comodo Secure Services root" - "Comodo Trusted Services root" - "DST ACES CA X6" - "GeoTrust Global CA 2" - "PSCProcert" - "Security Communication EV RootCA1" - "Swisscom Root CA 1" - "Swisscom Root CA 2" - "Swisscom Root EV CA 2" - "TURKTRUST Certificate Services Provider Root 2007" - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" - "UTN USERFirst Hardware Root CA" * mozilla/blacklist.txt Update blacklist to remove certificates no longer in certdata.txt and explicitly ignore distrusted certificates. * debian/copyright: Fix lintian insecure-copyright-format-uri with https URL. * debian/changelog: Fix lintian file-contains-trailing-whitespace. * debian/{compat,control}: Set to debhelper compat 11. * Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop usage of `c_rehash` script. Closes: #895075 [ Thijs Kinkhorst ] * Remove Christian Perrier from uploaders at his request (closes: #894070). * Checked for policy 4.1.4, no changes. ca-certificates (20170717) unstable; urgency=medium * Update to Standards-Version: 4.0.1 * debian/ca-certificates.postinst: Prevent postinst failure on read-only /usr/local. Closes: #843722 * mozilla/certdata2pem.py: Remove email-only roots from mozilla trust store. Closes: #721976 * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.14. Closes: #858064 The following certificate authorities were added (+): + "AC RAIZ FNMT-RCM" + "Amazon Root CA 1" + "Amazon Root CA 2" + "Amazon Root CA 3" + "Amazon Root CA 4" + "D-TRUST Root CA 3 2013" + "LuxTrust Global Root 2" + "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" The following certificate authorities were removed (-): - "AC Raiz Certicamara S.A." - "ApplicationCA - Japanese Government" - "Buypass Class 2 CA 1" - "ComSign CA" - "EBG Elektronik Sertifika Hizmet Saglayicisi" - "Equifax Secure CA" - "Equifax Secure eBusiness CA 1" - "Equifax Secure Global eBusiness CA" - "IGC/A" - "Juur-SK" - "Microsec e-Szigno Root CA" - "Root CA Generalitat Valenciana" - "RSA Security 2048 v3" - "S-TRUST Authentication and Encryption Root CA 2005 PN" - "S-TRUST Universal Root CA" - "SwissSign Platinum CA - G2" - "TC TrustCenter Class 3 CA II" - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" - "UTN USERFirst Email Root CA" - "Verisign Class 1 Public Primary Certification Authority" - "Verisign Class 1 Public Primary Certification Authority - G3" - "Verisign Class 2 Public Primary Certification Authority - G2" - "Verisign Class 2 Public Primary Certification Authority - G3" - "Verisign Class 3 Public Primary Certification Authority" - "WellsSecure Public Root Certificate Authority" -- Steve McIntyre <93sam@debian.org> Tue, 09 Jun 2020 01:09:35 +0100 9.12.2-20200515 Updates in 1 source package(s), 8 binary package(s): Source apt, binaries: apt:amd64 apt-utils:amd64 libapt-inst2.0:amd64 libapt-pkg5.0:amd64 apt:arm64 apt-utils:arm64 libapt-inst2.0:arm64 libapt-pkg5.0:arm64 apt (1.4.10) stretch-security; urgency=high * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177) - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated member names in error path - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated member names in error path - CVE-2020-3810 * Fix-up size in 1.4.9 security fix test case * Add .gitlab-ci.yml for CI testing on Salsa -- Steve McIntyre <93sam@debian.org> Sun, 17 May 2020 17:31:14 +0100 9.12.1-20200328 Updates in 1 source package(s), 2 binary package(s): Source icu, binaries: libicu57:amd64 libicu57:arm64 icu (57.1-6+deb9u4) stretch-security; urgency=high * Backport upstream security fix for CVE-2020-10531: SEGV_MAPERR in UnicodeString::doAppend() (closes: #953747). -- Steve McIntyre <93sam@debian.org> Sun, 29 Mar 2020 15:38:53 +0100 9.12.0 First build for 9.12.0 release -- Steve McIntyre <93sam@debian.org> Sun, 09 Feb 2020 14:59:24 +0000