Bug 2581

Summary:	Fraudulent *.google.com Certificate in Firefox
Product:	Mageia	Reporter:	Sander Lepik <mageia>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	normal
Priority:	Normal	CC:	davidwhodgins, dmorganec, doktor5000, eeeemail, olivier, stormi-mageia, sysadmin-bugs
Version:	1	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
Whiteboard:
Source RPM:	firefox-6.0.1-1.1.mga1.i586.rpm	CVE:
Status comment:

Description Sander Lepik 2011-08-31 22:03:22 CEST

Description of problem:


Read from given URL.

Advisory:

http://www.mozilla.org/security/announce/2011/mfsa2011-34.html

Comment 1 Sander Lepik 2011-08-31 22:04:31 CEST

Update is actually already pushed into updates_testing so it needs testing.

Assignee: security => qa-bugs

Manuel Hiebel 2011-08-31 22:12:55 CEST

CC: (none) => dmorganec

Comment 2 Florian Hubold 2011-08-31 22:24:55 CEST

Well, the Firefox 6.0.1 was issued for that, AFAIK.
But still DigiNotar is a trusted CA in Firefox 6.0.1 from updates_testing?

CC: (none) => doktor5000

Comment 3 Remco Rijnders 2011-08-31 22:27:08 CEST

I believe in Firefox they only removed one of the DigiNotar (sub?)root certificates. They have various others which have not been removed from Firefox, while I believe IE, Chrome etc. may have disabled them all for now pending the audit currently going on.

Comment 4 Florian Hubold 2011-08-31 22:43:48 CEST

Well, there's only that one CA certificate. And somewhat the advisory text compared to the manual fixing instructions confuses me, this is in the advisory:

"For the protection of our users Mozilla has removed the DigiNotar root certificate. Sites using certificates issued by DigiNotar will need to seek another certificate vendor."

root certificate means CA certificate, no? And if sites using certificates issued by DigiNotar will need to seek another certificate vendor, that means DigiNotar was invalidated as a CA, no?


Then look at the manual fixing instructions:
http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
Clearly you see that the whole DigiNotar Ca is distrusted/removed.
I'd prefer to handle it this way to be on the self side.

With current 6.0.1 there is no change regarding that certificate, still needs to be fixed.

Comment 5 Florian Hubold 2011-08-31 22:44:37 CEST

Additionally, look at the according upstream bug report's topic: https://bugzilla.mozilla.org/show_bug.cgi?id=682927

Olivier FAURAX 2011-08-31 23:57:47 CEST

CC: (none) => olivier

Comment 6 Dave Hodgins 2011-09-01 01:33:31 CEST

I've been testing on i586 for a few hours.  Everything looks good. All
plugins and extensions are enabled.  The srpms are
firefox-6.0.1-1.1.mga1.src.rpm
firefox-l10n-6.0.1-1.mga1.src.rpm
xulrunner-6.0.1-1.1.mga1.src.rpm

Shouldn't firefox be in non-free rather then core?

CC: (none) => davidwhodgins

Comment 7 Florian Hubold 2011-09-01 09:32:18 CEST

(In reply to comment #6)
> 
> Shouldn't firefox be in non-free rather then core?

What? For what reason?

Comment 8 D Morgan 2011-09-01 16:00:37 CEST

can you test  the firefox extensions too ? 

after we will be able to push this big update.

Comment 9 Florian Hubold 2011-09-01 16:04:42 CEST

(In reply to comment #6)
> I've been testing on i586 for a few hours.  Everything looks good.

You have also checked that every certificate from DigiNotar is distrusted?
Is there a testcase for that?

Comment 10 Dave Hodgins 2011-09-01 19:00:33 CEST

(In reply to comment #7)
> (In reply to comment #6)
> > 
> > Shouldn't firefox be in non-free rather then core?
> 
> What? For what reason?

Sorry. I'm so used to only seeing the binary blobs, I forgot that it is
open source.

Regarding a test case for the DigiNotar certificate,
https://onlineaanvraag.diginotar.nl/Digiforms/FormDesigner.aspx
no longer shows a trusted icon.  Clicking on the yellow warning icon shows
the connection is not encrypted.

Any objections to validating this update?

Comment 11 claire robinson 2011-09-01 19:58:56 CEST

Confirmed x86_64

CC: (none) => eeeemail

Comment 12 Dave Hodgins 2011-09-01 20:51:16 CEST

Can someone from the sysadmin team push the srpms
firefox-6.0.1-1.1.mga1.src.rpm
firefox-l10n-6.0.1-1.mga1.src.rpm
From Core Updates Testing to Core Updates

Advisory:
This update removes a fraudulently used root ssl certificate.
http://www.mozilla.org/security/announce/2011/mfsa2011-34.html

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Dave Hodgins 2011-09-01 20:54:17 CEST

Sorry, missed the srpm
xulrunner-6.0.1-1.1.mga1.src.rpm
from the list.

Comment 14 Dave Hodgins 2011-09-01 21:33:12 CEST

Should nss-3.12.11-1.1.mga1.src.rpm be pushed with this update too?

Comment 15 D Morgan 2011-09-01 21:36:22 CEST

yes :

rootcerts
nss
firefox
firefox-l10n

Comment 16 Samuel Verschelde 2011-09-01 21:37:44 CEST

(In reply to comment #15)
> yes :
> 
> rootcerts
> nss
> firefox
> firefox-l10n

and xulrunner ?

CC: (none) => stormi

Comment 17 D Morgan 2011-09-01 21:43:38 CEST

update pushed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 18 D Morgan 2011-09-01 21:45:12 CEST

yes pushed too.