Bug 734316 - Fraudulent certificates signed by DigiNotar CA certificate (MFSA 2011-34)
Summary: Fraudulent certificates signed by DigiNotar CA certificate (MFSA 2011-34)
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110830,reported=20110830,sou...
Keywords: Security
: 734846 (view as bug list)
Depends On: 734317 734318 734319 734320 734321 734322 734323 734324 734325 734326 734327 734328
Blocks: 734337 735432
TreeView+ depends on / blocked
 
Reported: 2011-08-30 05:17 UTC by Huzaifa S. Sidhpurwala
Modified: 2012-04-30 17:15 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-05 07:59:15 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1242 normal SHIPPED_LIVE Important: firefox security update 2011-08-31 20:07:01 UTC
Red Hat Product Errata RHSA-2011:1243 normal SHIPPED_LIVE Important: thunderbird security update 2011-08-31 20:02:00 UTC
Red Hat Product Errata RHSA-2011:1244 normal SHIPPED_LIVE Important: seamonkey security update 2011-08-31 20:22:32 UTC
Red Hat Product Errata RHSA-2011:1282 normal SHIPPED_LIVE Important: nss and nspr security update 2011-09-12 19:02:58 UTC
Red Hat Product Errata RHSA-2012:0532 normal SHIPPED_LIVE Important: nss security update 2012-04-30 21:13:37 UTC
Mozilla Foundation 682927 None None None Never

Description Huzaifa S. Sidhpurwala 2011-08-30 05:17:37 UTC
Mozilla has reported about the issuance of at least one fraudulent SSL certificate for public websites belonging to Google, Inc. 

Reference:
https://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

Comment 5 Vincent Danen 2011-08-31 04:16:11 UTC
MFSA 2011-34 corrects this in Firefox 6.0.1, Firefox 3.6.21, Thunderbird 6.0.1, Thunderbird 3.1.13, and SeaMonkey 2.3.2:

http://www.mozilla.org/security/announce/2011/mfsa2011-34.html

Comment 6 Karl Abbott 2011-08-31 15:49:02 UTC
*** Bug 734846 has been marked as a duplicate of this bug. ***

Comment 7 errata-xmlrpc 2011-08-31 20:02:06 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:1243 https://rhn.redhat.com/errata/RHSA-2011-1243.html

Comment 8 errata-xmlrpc 2011-08-31 20:07:08 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1242 https://rhn.redhat.com/errata/RHSA-2011-1242.html

Comment 9 errata-xmlrpc 2011-08-31 20:22:38 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:1244 https://rhn.redhat.com/errata/RHSA-2011-1244.html

Comment 10 Oron Peled 2011-09-05 05:31:04 UTC
This severe issue has not been addressed at all in Fedora (14, 15, 16).
As a minimum, a security advisory is in place, instructing users to
manually remove Diginotar certificates. E.g (some dumbed-down guide):
 http://www.linuxbsdos.com/2011/09/04/how-to-delete-diginotar-ca-certificate-from-firefox/

Comment 11 Jan Vlug 2011-09-05 07:33:15 UTC
See bug#734679.
I consider this bug as very urgent. Fraudulent certificates have been released for Google, Twitter, Yahoo, and possible Dutch government sites.

Comment 12 Huzaifa S. Sidhpurwala 2011-09-05 07:52:49 UTC
Oron, Jan,

We are waiting for upstream to release fixed packages for Mozilla products. Once they do, we will release them for fedora.

Comment 13 errata-xmlrpc 2011-09-12 19:03:08 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 6

Via RHSA-2011:1282 https://rhn.redhat.com/errata/RHSA-2011-1282.html

Comment 14 errata-xmlrpc 2012-04-30 17:15:52 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6 EUS - Server Only

Via RHSA-2012:0532 https://rhn.redhat.com/errata/RHSA-2012-0532.html


Note You need to log in before you can comment on or make changes to this bug.