stable

ca-certificates-2014.2.1-1.1.fc21

FEDORA-2014-11172 created by kengert 10 years ago for Fedora 21

The upstream Mozilla CA certificates list version 2.1, as released by Mozilla with NSS 3.16.4, removed trust for several old roots, which are considered to have weak keys.

The related upstream bugs are: https://bugzilla.mozilla.org/show_bug.cgi?id=936304 https://bugzilla.mozilla.org/show_bug.cgi?id=986005

Unfortunately we see issues with software that uses OpenSSL/GnuTLS after these removals with many popular web sites.

The issue (or one out of several possible issues) is that web sites may be configured to send multiple intermediate CA certificates, intended for maximum compatibility with client software. One intermediate points to one of the removed CA certificates, and another second points to a newer root. The problem is that OpenSSL/GnuTLS don't search for an alternative trusted root, after being unable to construct a trust chain for the topmost intermediate CA certificate sent by the servers.

In order to allow more time to implement enhancements or workarounds, the CA-certificates package will temporarily add back trust to the related root CA certificates.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2014-11172

This update has been submitted for testing by kengert. This critical path update has not yet been approved for pushing to the stable repository. It must first reach a karma of 2, consisting of 0 positive karma from proventesters, along with 2 additional karma from the community. Or, it must spend 14 days in testing without any negative feedback

10 years ago
User Icon autoqa commented 10 years ago

AutoQA: depcheck test PASSED on i386. Result log: http://autoqa.fedoraproject.org/report/1gxuc (results are informative only)

User Icon autoqa commented 10 years ago

AutoQA: depcheck test PASSED on x86_64. Result log: http://autoqa.fedoraproject.org/report/1gxud (results are informative only)

User Icon n0oir commented & provided feedback 10 years ago
karma

work c:

Critical path update approved

10 years ago

This update is currently being pushed to the Fedora 21 testing updates repository.

10 years ago

This update has been pushed to testing

10 years ago
User Icon nonamedotc commented & provided feedback 10 years ago
karma

looks fine here

User Icon chr77 commented & provided feedback 10 years ago
karma

Works for me

This update has reached the stable karma threshold and will be pushed to the stable updates repository

10 years ago
User Icon autoqa commented 10 years ago

AutoQA: upgradepath test PASSED on noarch. Result log: http://autoqa.fedoraproject.org/report/1hbkf (results are informative only)

This update is currently being pushed to the Fedora 21 stable updates repository.

10 years ago

This update has been pushed to stable

10 years ago

Please login to add feedback.

Metadata
Type
bugfix
Karma
3
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
10 years ago
in testing
10 years ago
in stable
10 years ago
Builds
1
ca-certificates-2014.2.1-1.1.fc21
BZ#1144767 login error for live and yahoo account
0
0
BZ#1144808 Temporarily re-enable several weak CA certificates until a better solution for openssl/gnutls can be found
0
0
ca-certificates-2014.2.1-1.1.fc21

Automated Test Results

Copyright © 2007-2025 Red Hat, Inc. and others.

Running bodhi-server 8.3.0 on bodhi-web-177-d7c94.

bodhi is Free Software. Please file issues if you have any problems. Read the documentation.

Composes Legal Privacy policy