Update Mozilla certificate authority bundle to version 2.60

2023-03-11 09:35:49 +01:00 · 2023-03-11 09:35:49 +01:00 · 7eee62eaf1
commit 7eee62eaf1
parent 88d98d1082
4 changed files with 3725 additions and 2555 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,4 +1,4 @@
-ca-certificates (20220111) UNRELEASED; urgency=medium
+ca-certificates (20230311) UNRELEASED; urgency=medium

  [ Đoàn Trần Công Danh ]
  * ca-certificates: compat with non-GNU mktemp (closes: #1000847)
@ -7,14 +7,34 @@ ca-certificates (20220111) UNRELEASED; urgency=medium
  * certdata2pem.py: use UTC time when checking cert validity

  [ Julien Cristau ]
-  * Update Mozilla certificate authority bundle to version 2.52
+  * Update Mozilla certificate authority bundle to version 2.60
    The following certificate authorities were added (+):
-    + "TunTrust Root CA"
-    + "HARICA TLS RSA Root CA 2021"
+    + "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+    + "Certainly Root E1"
+    + "Certainly Root R1"
+    + "D-TRUST BR Root CA 1 2020"
+    + "D-TRUST EV Root CA 1 2020"
+    + "DigiCert TLS ECC P384 Root G5"
+    + "DigiCert TLS RSA4096 Root G5"
+    + "E-Tugra Global Root CA ECC v3"
+    + "E-Tugra Global Root CA RSA v3"
    + "HARICA TLS ECC Root CA 2021"
+    + "HARICA TLS RSA Root CA 2021"
+    + "HiPKI Root CA - G1"
+    + "ISRG Root X2"
+    + "Security Communication ECC RootCA1"
+    + "Security Communication RootCA3"
+    + "Telia Root CA v2"
+    + "TunTrust Root CA"
+    + "vTrus ECC Root CA"
+    + "vTrus Root CA"
    The following certificate authorities were removed (-):
    - "Cybertrust Global Root" (expired)
+    - "EC-ACC"
    - "GlobalSign Root CA - R2" (expired)
+    - "Hellenic Academic and Research Institutions RootCA 2011"
+    - "Network Solutions Certificate Authority"
+    - "Staat der Nederlanden EV Root CA" (expired)
  * Drop trailing space from debconf template causing misformatting
    (closes: #980821)

--- a/mozilla/blacklist.txt
+++ b/mozilla/blacklist.txt
@ -2,13 +2,5 @@

 # Blacklist explicitly distrusted certificates to explicitly ignore them and prevent build errors
 "Explicitly Distrust DigiNotar Root CA"
-"Explicitly Distrusted DigiNotar PKIoverheid G2"
-"MITM subCA 1 issued by Trustwave"
-"MITM subCA 2 issued by Trustwave"
-"TURKTRUST Mis-issued Intermediate CA 1"
-"TURKTRUST Mis-issued Intermediate CA 2"

-# Expired CA (#995432)
-"DST Root CA X3"
-"Cybertrust Global Root"
-"GlobalSign Root CA - R2"
+# Expired CAs
--- a/mozilla/certdata.txt
+++ b/mozilla/certdata.txt
--- a/mozilla/nssckbi.h
+++ b/mozilla/nssckbi.h
@ -46,8 +46,8 @@
 * It's recommend to switch back to 0 after having reached version 98/99.
 */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 52
-#define NSS_BUILTINS_LIBRARY_VERSION "2.52"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60
+#define NSS_BUILTINS_LIBRARY_VERSION "2.60"

 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1