Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 726650

Summary: net-libs/gnutls-3.6.13 mishandles expired root certificates by ignoring a valid one in the chain
Product: Gentoo Linux Reporter: Mart Raudsepp <leio>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.com/gnutls/gnutls/-/merge_requests/1271
See Also: https://bugs.gentoo.org/show_bug.cgi?id=726412
Whiteboard:
Package list:
Runtime testing required: ---

Description Mart Raudsepp gentoo-dev 2020-06-01 14:25:27 UTC 
net-libs/gnutls-3.6.13 fails to properly handle TLS certificate expiry in a chain of certificates, effectively breaking since today https sites that ought to continue to be working, due to expiration of AddTrust root certificate.
For example adblockplus filters for epiphany can't be retrieved anymore.

https://mail.gnome.org/archives/distributor-list/2020-June/msg00000.html
https://gitlab.com/gnutls/gnutls/-/issues/1008
https://gitlab.com/gnutls/gnutls/-/merge_requests/1271
https://gitlab.com/gnutls/gnutls/-/merge_requests/1271.patch

Please consider it urgent to get the last link patch included in a stable revision.
Comment 1 Larry the Git Cow gentoo-dev 2020-06-01 19:17:26 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7402bdfcb5c3017b29d80d60312804b4b3fbebd

commit f7402bdfcb5c3017b29d80d60312804b4b3fbebd
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-01 19:01:34 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-01 19:17:15 +0000

    net-libs/gnutls: rev bump to fix handling of expired root certificates
    
    Link: https://gitlab.com/gnutls/gnutls/-/issues/1008
    Closes: https://bugs.gentoo.org/726650
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 ...s-3.6.13-handle-expired-root-certificates.patch | 391 +++++++++++++++++++++
 ...nutls-3.6.13.ebuild => gnutls-3.6.13-r1.ebuild} |   2 +
 2 files changed, 393 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2020-06-02 17:13:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=617b767f5022f81117e028e258d8b0e008594a31

commit 617b767f5022f81117e028e258d8b0e008594a31
Author:     Robin H. Johnson <robbat2@gentoo.org>
AuthorDate: 2020-06-02 16:48:35 +0000
Commit:     Robin H. Johnson <robbat2@gentoo.org>
CommitDate: 2020-06-02 17:13:18 +0000

    app-misc/ca-certificates: bump
    
    Bump to unreleased latest Debian sources which haven't been formally
    announced but are available via the Debian git systems.
    
    Removes expired AddTrust External CA root causing problems with GnuTLS &
    OpenSSL 1.0.
    
    Closes: https://bugs.gentoo.org/726412
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=726650
    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

 app-misc/ca-certificates/Manifest                  |   1 +
 .../ca-certificates-20200601.3.53.ebuild           | 192 +++++++++++++++++++++
 2 files changed, 193 insertions(+)