openSUSE-RU-2018:0392-1: moderate: Recommended update for ca-certificates-mozilla

8 Feb 2018

      openSUSE Recommended Update: Recommended update for ca-certificates-mozilla
______________________________________________________________________________

Announcement ID:    openSUSE-RU-2018:0392-1
Rating:             moderate
References:         #1010996 #1071152 #1071390 
Affected Products:
                    openSUSE Leap 42.3
______________________________________________________________________________

   An update that has three recommended fixes can now be
   installed.

Description:

   The system SSL root certificate store was updated to Mozilla certificate
   version 2.22 from January 2018.  (bsc#1071152 bsc#1071390 bsc#1010996)

   We removed the old 1024 bit legacy CAs that were temporary left in to
   allow in-chain root certificates as openssl is now able to handle it.

   Further changes coming from Mozilla:

   - New Root CAs added:

     * Amazon Root CA 1: (email protection, server auth)
     * Amazon Root CA 2: (email protection, server auth)
     * Amazon Root CA 3: (email protection, server auth)
     * Amazon Root CA 4: (email protection, server auth)
     * Certplus Root CA G1: (email protection, server auth)
     * Certplus Root CA G2: (email protection, server auth)
     * D-TRUST Root CA 3 2013: (email protection)
     * GDCA TrustAUTH R5 ROOT: (server auth)
     * Hellenic Academic and Research Institutions ECC RootCA 2015: (email
       protection, server auth)
     * Hellenic Academic and Research Institutions RootCA 2015: (email
       protection, server auth)
     * ISRG Root X1: (server auth)
     * LuxTrust Global Root 2: (server auth)
     * OpenTrust Root CA G1: (email protection, server auth)
     * OpenTrust Root CA G2: (email protection, server auth)
     * OpenTrust Root CA G3: (email protection, server auth)
     * SSL.com EV Root Certification Authority ECC: (server auth)
     * SSL.com EV Root Certification Authority RSA R2: (server auth)
     * SSL.com Root Certification Authority ECC: (email protection, server
       auth)
     * SSL.com Root Certification Authority RSA: (email protection, server
       auth)
     * Symantec Class 1 Public Primary Certification Authority - G4: (email
       protection)
     * Symantec Class 1 Public Primary Certification Authority - G6: (email
       protection)
     * Symantec Class 2 Public Primary Certification Authority - G4: (email
       protection)
     * Symantec Class 2 Public Primary Certification Authority - G6: (email
       protection)
     * TrustCor ECA-1: (email protection, server auth)
     * TrustCor RootCert CA-1: (email protection, server auth)
     * TrustCor RootCert CA-2: (email protection, server auth)
     * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth)

   - Removed root CAs:

     * AddTrust Public Services Root
     * AddTrust Public CA Root
     * AddTrust Qualified CA Root
     * ApplicationCA - Japanese Government
     * Buypass Class 2 CA 1
     * CA Disig Root R1
     * CA WoSign ECC Root
     * Certification Authority of WoSign G2
     * Certinomis - Autorité Racine
     * Certum Root CA
     * China Internet Network Information Center EV Certificates Root
     * CNNIC ROOT
     * Comodo Secure Services root
     * Comodo Trusted Services root
     * ComSign Secured CA
     * EBG Elektronik Sertifika Hizmet Sağlayıcısı
     * Equifax Secure CA
     * Equifax Secure eBusiness CA 1
     * Equifax Secure Global eBusiness CA
     * GeoTrust Global CA 2
     * IGC/A
     * Juur-SK
     * Microsec e-Szigno Root CA
     * PSCProcert
     * Root CA Generalitat Valenciana
     * RSA Security 2048 v3
     * Security Communication EV RootCA1
     * Sonera Class 1 Root CA
     * StartCom Certification Authority
     * StartCom Certification Authority G2
     * S-TRUST Authentication and Encryption Root CA 2005 PN
     * Swisscom Root CA 1
     * Swisscom Root EV CA 2
     * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
     * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
     * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
     * UTN USERFirst Hardware Root CA
     * UTN USERFirst Object Root CA
     * VeriSign Class 3 Secure Server CA - G2
     * Verisign Class 1 Public Primary Certification Authority
     * Verisign Class 2 Public Primary Certification Authority - G2
     * Verisign Class 3 Public Primary Certification Authority
     * WellsSecure Public Root Certificate Authority
     * Certification Authority of WoSign
     * WoSign China

   - Removed Code Signing rights from a lot of CAs (not listed here).

   - Removed Server Auth rights from:

     * AddTrust Low-Value Services Root
     * Camerfirma Chambers of Commerce Root
     * Camerfirma Global Chambersign Root
     * Swisscom Root CA 2

   This update was imported from the SUSE:SLE-12:Update update project.

Patch Instructions:

   To install this openSUSE Recommended Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.3:

      zypper in -t patch openSUSE-2018-142=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - openSUSE Leap 42.3 (noarch):

      ca-certificates-mozilla-2.22-12.1

References:

   https://bugzilla.suse.com/1010996
   https://bugzilla.suse.com/1071152
   https://bugzilla.suse.com/1071390

maintenance＠opensuse.org

tags

participants (1)