From mandree@FreeBSD.org  Sat Sep  3 11:02:03 2011
Return-Path: <mandree@FreeBSD.org>
Received: from apollo.emma.line.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28])
	by hub.freebsd.org (Postfix) with ESMTP id 45E5F106564A;
	Sat,  3 Sep 2011 11:02:02 +0000 (UTC)
	(envelope-from mandree@FreeBSD.org)
Received: from mandree by apollo.emma.line.org with local (Exim 4.76 (FreeBSD))
	(envelope-from <mandree@FreeBSD.org>)
	id 1Qznz7-0007sd-9E; Sat, 03 Sep 2011 13:02:01 +0200
Message-Id: <E1Qznz7-0007sd-9E@apollo.emma.line.org>
Date: Sat, 03 Sep 2011 13:02:01 +0200
From: Matthias Andree <mandree@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: brooks@FreeBSD.org,kwm@FreeBSD.org
Subject: [PATCH] URGENT security/ca_root_nss: disable DigiNotar trust
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         160418
>Category:       ports
>Synopsis:       [PATCH] URGENT security/ca_root_nss: disable DigiNotar trust
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    brooks
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 03 11:10:10 UTC 2011
>Closed-Date:    Tue Sep 27 17:56:18 UTC 2011
>Last-Modified:  Tue Sep 27 17:56:18 UTC 2011
>Originator:     Matthias Andree
>Release:        FreeBSD 8.2-STABLE amd64
>Organization:
>Environment:
System: FreeBSD apollo.emma.line.org 8.2-STABLE FreeBSD 8.2-STABLE #14: Tue Aug 30 15:35:18 CEST 2011
>Description:
Disable DigiNotar Root CA per loss of trustworthiness and
bogus certificates issued after a break-in.

Added file(s):
- files/patch-certdata.txt

Port maintainer (brooks@FreeBSD.org) is cc'd.

kwm@ Cc'd per discussion on #bsdports

Generated with FreeBSD Port Tools 0.99
>How-To-Repeat:
>Fix:

--- ca_root_nss-3.12.9_1.patch begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/ca_root_nss/Makefile,v
retrieving revision 1.11
diff -u -u -r1.11 Makefile
--- Makefile	26 May 2011 14:56:01 -0000	1.11
+++ Makefile	3 Sep 2011 10:56:37 -0000
@@ -7,6 +7,7 @@
 
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_MOZILLA} \
 		${MASTER_SITES_MODSSL:S/$/:mod_ssl/}
Index: files/patch-certdata.txt
===================================================================
RCS file: files/patch-certdata.txt
diff -N files/patch-certdata.txt
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-certdata.txt	3 Sep 2011 10:55:00 -0000
@@ -0,0 +1,170 @@
+This patch is to remove DigiNotar material from certdata.txt
+after they'd been broken into, with bogus certificates signed,
+and DigiNotar unwilling to disclose enough information about what.
+
+Remove their stuff altogether, they are no longer trustworthy.
+
+--- ./certdata.txt.orig	2011-09-03 12:50:09.000000000 +0200
++++ ./certdata.txt	2011-09-03 12:50:44.000000000 +0200
+@@ -14831,161 +14831,6 @@
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+-# Certificate "DigiNotar Root CA"
+-#
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "DigiNotar Root CA"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+-\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+-\164\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151
+-\147\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061
+-\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021
+-\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156
+-\154
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+-\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+-\164\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151
+-\147\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061
+-\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021
+-\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156
+-\154
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\020\014\166\332\234\221\014\116\054\236\376\025\320\130\223
+-\074\114
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\005\212\060\202\003\162\240\003\002\001\002\002\020\014
+-\166\332\234\221\014\116\054\236\376\025\320\130\223\074\114\060
+-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137
+-\061\013\060\011\006\003\125\004\006\023\002\116\114\061\022\060
+-\020\006\003\125\004\012\023\011\104\151\147\151\116\157\164\141
+-\162\061\032\060\030\006\003\125\004\003\023\021\104\151\147\151
+-\116\157\164\141\162\040\122\157\157\164\040\103\101\061\040\060
+-\036\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156
+-\146\157\100\144\151\147\151\156\157\164\141\162\056\156\154\060
+-\036\027\015\060\067\060\065\061\066\061\067\061\071\063\066\132
+-\027\015\062\065\060\063\063\061\061\070\061\071\062\061\132\060
+-\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061\022
+-\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157\164
+-\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151\147
+-\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061\040
+-\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021\151
+-\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156\154
+-\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
+-\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
+-\000\254\260\130\301\000\275\330\041\010\013\053\232\376\156\126
+-\060\005\237\033\167\220\020\101\134\303\015\207\021\167\216\201
+-\361\312\174\351\214\152\355\070\164\065\273\332\337\371\273\300
+-\011\067\264\226\163\201\175\063\032\230\071\367\223\157\225\177
+-\075\271\261\165\207\272\121\110\350\213\160\076\225\004\305\330
+-\266\303\026\331\210\260\261\207\035\160\332\206\264\017\024\213
+-\172\317\020\321\164\066\242\022\173\167\206\112\171\346\173\337
+-\002\021\150\245\116\206\256\064\130\233\044\023\170\126\042\045
+-\036\001\213\113\121\161\373\202\314\131\226\151\210\132\150\123
+-\305\271\015\002\067\313\113\274\146\112\220\176\052\013\005\007
+-\355\026\137\125\220\165\330\106\311\033\203\342\010\276\361\043
+-\314\231\035\326\052\017\203\040\025\130\047\202\056\372\342\042
+-\302\111\261\271\001\201\152\235\155\235\100\167\150\166\116\041
+-\052\155\204\100\205\116\166\231\174\202\363\363\267\002\131\324
+-\046\001\033\216\337\255\123\006\321\256\030\335\342\262\072\313
+-\327\210\070\216\254\133\051\271\031\323\230\371\030\003\317\110
+-\202\206\146\013\033\151\017\311\353\070\210\172\046\032\005\114
+-\222\327\044\324\226\362\254\122\055\243\107\325\122\366\077\376
+-\316\204\006\160\246\252\076\242\362\266\126\064\030\127\242\344
+-\201\155\347\312\360\152\323\307\221\153\002\203\101\174\025\357
+-\153\232\144\136\343\320\074\345\261\353\173\135\206\373\313\346
+-\167\111\315\243\145\334\367\271\234\270\344\013\137\223\317\314
+-\060\032\062\034\316\034\143\225\245\371\352\341\164\213\236\351
+-\053\251\060\173\240\030\037\016\030\013\345\133\251\323\321\154
+-\036\007\147\217\221\113\251\212\274\322\146\252\223\001\210\262
+-\221\372\061\134\325\246\301\122\010\011\315\012\143\242\323\042
+-\246\350\241\331\071\006\227\365\156\215\002\220\214\024\173\077
+-\200\315\033\234\272\304\130\162\043\257\266\126\237\306\172\102
+-\063\051\007\077\202\311\346\037\005\015\315\114\050\066\213\323
+-\310\076\034\306\210\357\136\356\211\144\351\035\353\332\211\176
+-\062\246\151\321\335\314\210\237\321\320\311\146\041\334\006\147
+-\305\224\172\232\155\142\114\175\314\340\144\200\262\236\107\216
+-\243\002\003\001\000\001\243\102\060\100\060\017\006\003\125\035
+-\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125
+-\035\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125
+-\035\016\004\026\004\024\210\150\277\340\216\065\304\073\070\153
+-\142\367\050\073\204\201\310\014\327\115\060\015\006\011\052\206
+-\110\206\367\015\001\001\005\005\000\003\202\002\001\000\073\002
+-\215\313\074\060\350\156\240\255\362\163\263\137\236\045\023\004
+-\005\323\366\343\213\273\013\171\316\123\336\344\226\305\321\257
+-\163\274\325\303\320\100\125\174\100\177\315\033\137\011\325\362
+-\174\237\150\035\273\135\316\172\071\302\214\326\230\173\305\203
+-\125\250\325\175\100\312\340\036\367\211\136\143\135\241\023\302
+-\135\212\266\212\174\000\363\043\303\355\205\137\161\166\360\150
+-\143\252\105\041\071\110\141\170\066\334\361\103\223\324\045\307
+-\362\200\145\341\123\002\165\121\374\172\072\357\067\253\204\050
+-\127\014\330\324\324\231\126\154\343\242\376\131\204\264\061\350
+-\063\370\144\224\224\121\227\253\071\305\113\355\332\335\200\013
+-\157\174\051\015\304\216\212\162\015\347\123\024\262\140\101\075
+-\204\221\061\150\075\047\104\333\345\336\364\372\143\105\310\114
+-\076\230\365\077\101\272\116\313\067\015\272\146\230\361\335\313
+-\237\134\367\124\066\202\153\054\274\023\141\227\102\370\170\273
+-\314\310\242\237\312\360\150\275\153\035\262\337\215\157\007\235
+-\332\216\147\307\107\036\312\271\277\052\102\221\267\143\123\146
+-\361\102\243\341\364\132\115\130\153\265\344\244\063\255\134\160
+-\035\334\340\362\353\163\024\221\232\003\301\352\000\145\274\007
+-\374\317\022\021\042\054\256\240\275\072\340\242\052\330\131\351
+-\051\323\030\065\244\254\021\137\031\265\265\033\377\042\112\134
+-\306\172\344\027\357\040\251\247\364\077\255\212\247\232\004\045
+-\235\016\312\067\346\120\375\214\102\051\004\232\354\271\317\113
+-\162\275\342\010\066\257\043\057\142\345\312\001\323\160\333\174
+-\202\043\054\026\061\014\306\066\007\220\172\261\037\147\130\304
+-\073\130\131\211\260\214\214\120\263\330\206\313\150\243\304\012
+-\347\151\113\040\316\301\036\126\113\225\251\043\150\330\060\330
+-\303\353\260\125\121\315\345\375\053\270\365\273\021\237\123\124
+-\366\064\031\214\171\011\066\312\141\027\045\027\013\202\230\163
+-\014\167\164\303\325\015\307\250\022\114\307\247\124\161\107\056
+-\054\032\175\311\343\053\073\110\336\047\204\247\143\066\263\175
+-\217\240\144\071\044\015\075\173\207\257\146\134\164\033\113\163
+-\262\345\214\360\206\231\270\345\305\337\204\301\267\353
+-END
+-
+-# Trust for Certificate "DigiNotar Root CA"
+-CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "DigiNotar Root CA"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\300\140\355\104\313\330\201\275\016\370\154\013\242\207\335\317
+-\201\147\107\214
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\172\171\124\115\007\222\073\133\377\101\360\016\307\071\242\230
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\137\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+-\022\060\020\006\003\125\004\012\023\011\104\151\147\151\116\157
+-\164\141\162\061\032\060\030\006\003\125\004\003\023\021\104\151
+-\147\151\116\157\164\141\162\040\122\157\157\164\040\103\101\061
+-\040\060\036\006\011\052\206\110\206\367\015\001\011\001\026\021
+-\151\156\146\157\100\144\151\147\151\156\157\164\141\162\056\156
+-\154
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\020\014\166\332\234\221\014\116\054\236\376\025\320\130\223
+-\074\114
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "Network Solutions Certificate Authority"
+ #
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
--- ca_root_nss-3.12.9_1.patch ends here ---

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->brooks 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Sat Sep 3 11:10:20 UTC 2011 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=160418 

From: Matthias Andree <mandree@FreeBSD.org>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org, 
 Brooks Davis <brooks@FreeBSD.org>,
 Koop Mast <kwm@freebsd.org>
Cc:  
Subject: Re: ports/160418: [PATCH] URGENT security/ca_root_nss: disable DigiNotar
 trust
Date: Sat, 03 Sep 2011 13:12:51 +0200

 Am 03.09.2011 13:10, schrieb FreeBSD-gnats-submit@FreeBSD.org:
 > Thank you very much for your problem report.
 > It has the internal identification `ports/160418'.
 > The individual assigned to look at your
 > report is: freebsd-ports-bugs. 
 > 
 > You can access the state of your problem report at any time
 > via this link:
 > 
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=160418
 > 
 >> Category:       ports
 >> Responsible:    freebsd-ports-bugs
 >> Synopsis:       [PATCH] URGENT security/ca_root_nss: disable DigiNotar trust
 >> Arrival-Date:   Sat Sep 03 11:10:10 UTC 2011
 
 Please don't use this, but update to the new CKBI database which has
 "explicit distrust DigiNotar" entries.
 
 This should happen ASAP, if possible today, to avoid users being
 eavesdropped on with counterfeit Google certificates that crooks signed
 after a break-in into DigiNotar systems.

From: Chris Rees <utisoft@gmail.com>
To: Matthias Andree <mandree@freebsd.org>
Cc: freebsd-ports-bugs@freebsd.org, 
	"bug-followup@freebsd.org" <bug-followup@freebsd.org>, Brooks Davis <brooks@freebsd.org>, 
	Koop Mast <kwm@freebsd.org>
Subject: Re: ports/160418: [PATCH] URGENT security/ca_root_nss: disable
 DigiNotar trust
Date: Sat, 3 Sep 2011 14:37:20 +0100

 --90e6ba6e8eb2cc8a5e04ac099348
 Content-Type: text/plain; charset=ISO-8859-1
 
 Matthias, did you vuxml this too?
 
 --90e6ba6e8eb2cc8a5e04ac099348
 Content-Type: text/html; charset=ISO-8859-1
 
 <p>Matthias, did you vuxml this too?</p>
 
 --90e6ba6e8eb2cc8a5e04ac099348--
State-Changed-From-To: open->closed 
State-Changed-By: mandree 
State-Changed-When: Tue Sep 27 17:56:17 UTC 2011 
State-Changed-Why:  
committed weeks ago, with vuxml entries. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=160418 
>Unformatted:
