It has been reported that a small number of certificates have been compromised. Upstream has a patch which blacklists these certificates.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:0375 https://rhn.redhat.com/errata/RHSA-2011-0375.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:0374 https://rhn.redhat.com/errata/RHSA-2011-0374.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:0373 https://rhn.redhat.com/errata/RHSA-2011-0373.html
References: http://www.mozilla.org/security/announce/2011/mfsa2011-11.html http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/
Shouldn't the certificates be blacklisted in NSS, not PSM, so that all applications benefit?
The Mozilla application level patch was done first. We are working on an NSS level patch, too.
http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/cident-2011-03-23.html
link in comment 8 doesn't work for me. this one does: http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/
The list of CNs from the Comodo incident report: http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html Domain: mail.google.com Serial: 047ECBE9FCA55F7BD09EAE36E10CAE1E Domain: www.google.com Serial: 00F5C86AF36162F13A64F54F6DC9587C06 Domain: login.yahoo.com Serial: 00D7558FDAF5F1105BB213282B707729A3 Domain: login.yahoo.com Serial: 392A434F0E07DF1F8AA305DE34E0C229 Domain: login.yahoo.com Serial: 3E75CED46B693021218830AE86A82A71 Domain: login.skype.com Serial: 00E9028B9578E415DC1A710A2B88154447 Domain: addons.mozilla.org Serial: 009239D5348F40D1695A745470E1F23F43 Domain: login.live.com Serial: 00B0B7133ED096F9B56FAE91C874BD3AC0 Domain: global trustee Serial: 00D8F35F4EB7872B2DAB0692E315382FB0
Further coverage: http://news.netcraft.com/archives/2011/03/30/two-further-comodo-ra-accounts-compromised.html http://news.netcraft.com/archives/2011/03/29/comodo-hacker-releases-mozilla-certificate.html
Qt bug for this issue: http://bugreports.qt.nokia.com/browse/QTBUG-18338 Qt commits adding blacklist (based on serial numbers): http://qt.gitorious.org/qt/qt/commit/04e074e8d7c097295505e63565abdc7ca2b49f7b http://qt.gitorious.org/qt/qt/commit/b87528a71b66e786c11804d7b79e408aae612748 and related tests: http://qt.gitorious.org/qt/qt/commit/764e060a389a18a5804d23c528abdaebcee3ca13 http://qt.gitorious.org/qt/qt/commit/aeabe790203e7dcb1786e0dad7b4608f1e45b7d5
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2011:0472 https://rhn.redhat.com/errata/RHSA-2011-0472.html
Removing external tracker bug with the id '18338' as it is not valid for this tracker