Bug 798533

Summary: nss: Distrust MITM subCAs issued by TrustWave
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amarecek, emaldona, jrusnack, kchamart, kdudka, kengert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-18 07:26:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 798536, 798537, 798538, 798539    
Bug Blocks: 784298, 798556, 827834    

Description Huzaifa S. Sidhpurwala 2012-02-29 08:02:41 UTC 
Trustwave issued a subordinate root certificate to a company, therefore enabling the company to issue unlimited SSL certificates for any domain/hostname:

http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html

This violates the Mozilla CA Certificate Policy

Reference:
https://bugzilla.mozilla.org/show_bug.cgi?id=724929
https://bugzilla.mozilla.org/show_bug.cgi?id=728617

NSS 3.13.3 contains the patch to actively distrust the MITM subCAs issued by TrustWave.
Comment 3 errata-xmlrpc 2012-06-20 07:24:05 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0973 https://rhn.redhat.com/errata/RHSA-2012-0973.html
Comment 6 Huzaifa S. Sidhpurwala 2012-06-22 05:12:19 UTC 
This issue does not affect the version of nss as shipped with Fedora 16 and 17, since its already updated to 3.13.4
Comment 7 errata-xmlrpc 2012-07-17 18:18:37 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1090 https://rhn.redhat.com/errata/RHSA-2012-1090.html
Comment 8 Huzaifa S. Sidhpurwala 2012-07-18 07:26:06 UTC 
Statement:

(none)