Bug 689430 - Compromised certificates
Summary: Compromised certificates
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-21 14:05 UTC by Josh Bressers
Modified: 2019-09-29 12:43 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-29 14:18:08 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 642395 0 None None None Never
Red Hat Product Errata RHSA-2011:0373 0 normal SHIPPED_LIVE Important: firefox security update 2011-03-22 21:11:42 UTC
Red Hat Product Errata RHSA-2011:0374 0 normal SHIPPED_LIVE Important: thunderbird security and bug fix update 2011-03-22 21:11:19 UTC
Red Hat Product Errata RHSA-2011:0375 0 normal SHIPPED_LIVE Important: seamonkey security update 2011-03-22 20:50:50 UTC
Red Hat Product Errata RHSA-2011:0472 0 normal SHIPPED_LIVE Important: nss security update 2011-04-29 03:03:58 UTC

Description Josh Bressers 2011-03-21 14:05:48 UTC 
It has been reported that a small number of certificates have been compromised. Upstream has a patch which blacklists these certificates.
Comment 2 errata-xmlrpc 2011-03-22 20:50:59 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0375 https://rhn.redhat.com/errata/RHSA-2011-0375.html
Comment 3 errata-xmlrpc 2011-03-22 21:11:25 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:0374 https://rhn.redhat.com/errata/RHSA-2011-0374.html
Comment 4 errata-xmlrpc 2011-03-22 21:11:49 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:0373 https://rhn.redhat.com/errata/RHSA-2011-0373.html
Comment 5 Tomas Hoger 2011-03-23 07:52:08 UTC 
References:
http://www.mozilla.org/security/announce/2011/mfsa2011-11.html
http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/
Comment 6 Matt McCutchen 2011-03-23 15:02:42 UTC 
Shouldn't the certificates be blacklisted in NSS, not PSM, so that all applications benefit?
Comment 7 Kai Engert (:kaie) (inactive account) 2011-03-23 15:24:35 UTC 
The Mozilla application level patch was done first.

We are working on an NSS level patch, too.
Comment 8 Mark J. Cox 2011-03-23 18:06:38 UTC 
http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/cident-2011-03-23.html
Comment 9 Kai Engert (:kaie) (inactive account) 2011-03-23 18:21:00 UTC 
link in comment 8 doesn't work for me.
this one does:
http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/
Comment 10 Tomas Hoger 2011-03-24 13:50:38 UTC 
The list of CNs from the Comodo incident report:
  http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

Domain:  mail.google.com
Serial:  047ECBE9FCA55F7BD09EAE36E10CAE1E

Domain:  www.google.com
Serial:  00F5C86AF36162F13A64F54F6DC9587C06

Domain:  login.yahoo.com
Serial:  00D7558FDAF5F1105BB213282B707729A3

Domain:  login.yahoo.com
Serial:  392A434F0E07DF1F8AA305DE34E0C229

Domain:  login.yahoo.com
Serial:  3E75CED46B693021218830AE86A82A71

Domain:  login.skype.com
Serial:  00E9028B9578E415DC1A710A2B88154447

Domain:  addons.mozilla.org
Serial:  009239D5348F40D1695A745470E1F23F43

Domain:  login.live.com
Serial:  00B0B7133ED096F9B56FAE91C874BD3AC0

Domain:  global trustee
Serial:  00D8F35F4EB7872B2DAB0692E315382FB0
Comment 11 Joe Orton 2011-03-31 12:29:57 UTC 
Further coverage:

http://news.netcraft.com/archives/2011/03/30/two-further-comodo-ra-accounts-compromised.html

http://news.netcraft.com/archives/2011/03/29/comodo-hacker-releases-mozilla-certificate.html
Comment 12 Tomas Hoger 2011-04-06 08:06:09 UTC 
Qt bug for this issue:
http://bugreports.qt.nokia.com/browse/QTBUG-18338

Qt commits adding blacklist (based on serial numbers):
http://qt.gitorious.org/qt/qt/commit/04e074e8d7c097295505e63565abdc7ca2b49f7b
http://qt.gitorious.org/qt/qt/commit/b87528a71b66e786c11804d7b79e408aae612748

and related tests:
http://qt.gitorious.org/qt/qt/commit/764e060a389a18a5804d23c528abdaebcee3ca13
http://qt.gitorious.org/qt/qt/commit/aeabe790203e7dcb1786e0dad7b4608f1e45b7d5
Comment 13 errata-xmlrpc 2011-04-29 03:04:06 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2011:0472 https://rhn.redhat.com/errata/RHSA-2011-0472.html
Comment 14 Red Hat Bugzilla 2013-10-04 00:19:55 UTC 
Removing external tracker bug with the id '18338' as it is not valid for this tracker
Note You need to log in before you can comment on or make changes to this bug.