Given that we have distrusted WoSign and StartSSL (bug #598072) before upstream changed anything it is now time to do the same for Symantec after Google announced to effectively nullify all currently valid certificates issued by Symantec-owned CAs.
commit 6f25c0fc00d14fba2d2597039c3cb2334182eefd Author: Lars Wendler <polynomial-c@gentoo.org> Date: Fri Mar 24 10:28:50 2017 app-misc/ca-certificates: Revbump adding Symantec to insecure certs Gentoo bug #613714 Package-Manager: Portage-2.3.5, Repoman-2.3.2
Just for the records, the commit from comment #1 was reverted by a mask (via commit https://gitweb.gentoo.org/repo/gentoo.git/commit/profiles/package.mask?id=1d41acb61bc8807f1974a47c7232ce7a12821340) just a few minutes after the bump. Gentoo is awaiting action from any CAB member before changing trust for Symantec in Gentoo.
Mozilla issues list: https://wiki.mozilla.org/CA:Symantec_Issues Mozilla discussion happening in several threads at https://lists.mozilla.org/listinfo/dev-security-policy (including series with subject of "Symantec Response [XYZ]" Next update expected on or before 20th of April (easter time extended deadline to Symantec)
ca-certificates-20161130.3.30-r1 dropped.