Bug 734316

Summary: Fraudulent certificates signed by DigiNotar CA certificate (MFSA 2011-34)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caillon, gecko-bugs-nobody, jan.public, jkoten, kabbott, oron, security-response-team, stransky, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-05 07:59:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 734317, 734318, 734319, 734320, 734321, 734322, 734323, 734324, 734325, 734326, 734327, 734328    
Bug Blocks: 734337, 735432    

Description Huzaifa S. Sidhpurwala 2011-08-30 05:17:37 UTC 
Mozilla has reported about the issuance of at least one fraudulent SSL certificate for public websites belonging to Google, Inc. 

Reference:
https://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
Comment 5 Vincent Danen 2011-08-31 04:16:11 UTC 
MFSA 2011-34 corrects this in Firefox 6.0.1, Firefox 3.6.21, Thunderbird 6.0.1, Thunderbird 3.1.13, and SeaMonkey 2.3.2:

http://www.mozilla.org/security/announce/2011/mfsa2011-34.html
Comment 6 Karl Abbott 2011-08-31 15:49:02 UTC 
*** Bug 734846 has been marked as a duplicate of this bug. ***
Comment 7 errata-xmlrpc 2011-08-31 20:02:06 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:1243 https://rhn.redhat.com/errata/RHSA-2011-1243.html
Comment 8 errata-xmlrpc 2011-08-31 20:07:08 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1242 https://rhn.redhat.com/errata/RHSA-2011-1242.html
Comment 9 errata-xmlrpc 2011-08-31 20:22:38 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:1244 https://rhn.redhat.com/errata/RHSA-2011-1244.html
Comment 10 Oron Peled 2011-09-05 05:31:04 UTC 
This severe issue has not been addressed at all in Fedora (14, 15, 16).
As a minimum, a security advisory is in place, instructing users to
manually remove Diginotar certificates. E.g (some dumbed-down guide):
 http://www.linuxbsdos.com/2011/09/04/how-to-delete-diginotar-ca-certificate-from-firefox/
Comment 11 Jan Vlug 2011-09-05 07:33:15 UTC 
See bug#734679.
I consider this bug as very urgent. Fraudulent certificates have been released for Google, Twitter, Yahoo, and possible Dutch government sites.
Comment 12 Huzaifa S. Sidhpurwala 2011-09-05 07:52:49 UTC 
Oron, Jan,

We are waiting for upstream to release fixed packages for Mozilla products. Once they do, we will release them for fedora.
Comment 13 errata-xmlrpc 2011-09-12 19:03:08 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 6

Via RHSA-2011:1282 https://rhn.redhat.com/errata/RHSA-2011-1282.html
Comment 14 errata-xmlrpc 2012-04-30 17:15:52 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6 EUS - Server Only

Via RHSA-2012:0532 https://rhn.redhat.com/errata/RHSA-2012-0532.html