Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 381713 - <www-client/chromium-13.0.782.220, <www-client/google-chrome-13.0.782.220_p99552: Fraudulent DigiNotar certificates
Summary: <www-client/chromium-13.0.782.220, <www-client/google-chrome-13.0.782.220_p99...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://googleonlinesecurity.blogspot....
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-03 20:02 UTC by Mike Gilbert
Modified: 2011-11-01 10:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Gilbert gentoo-dev 2011-09-03 20:02:39 UTC
Similar to bug 381245. From the Google Security blog:

An update on attempted man-in-the-middle attacks
Monday, August 29, 2011 8:59 PM
Posted by Heather Adkins, Information Security Manager 

Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). 

Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate. 

To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates. Microsoft also has taken prompt action. 

To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.
Comment 1 Mike Gilbert gentoo-dev 2011-09-03 20:06:13 UTC
I have added versions to the tree which blacklist the DigiNotar Root CA.

=www-client/chromium-13.0.782.220
=www-client/google-chrome-13.0.782.220_p99552

www-client/google-chrome has no stable keywords.
Comment 2 Mike Gilbert gentoo-dev 2011-09-03 20:21:19 UTC
Please stabilize =www-client/chromium-13.0.782.220
Comment 3 Agostino Sarubbo gentoo-dev 2011-09-04 01:55:21 UTC
amd64 ok as usual
Comment 4 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-04 08:23:36 UTC
amd64: pass
Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev 2011-09-04 18:42:28 UTC
Archtested both on x86: everything fine.
Comment 6 Tony Vroon (RETIRED) gentoo-dev 2011-09-04 19:39:14 UTC
+  04 Sep 2011; Tony Vroon <chainsaw@gentoo.org> chromium-13.0.782.220.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in security bug #381713 filed by Mike
+  "floppym" Gilbert.
Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2011-09-12 22:32:01 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2011-09-13 17:25:40 UTC
Thanks all. Adding glsa vote request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-11-01 10:03:11 UTC
This issue was resolved and addressed in
 GLSA 201111-01 at http://security.gentoo.org/glsa/glsa-201111-01.xml
by GLSA coordinator Alex Legler (a3li).
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-11-01 10:04:06 UTC
This issue was resolved and addressed in
 GLSA 201111-01 at http://security.gentoo.org/glsa/glsa-201111-01.xml
by GLSA coordinator Alex Legler (a3li).