SUSE-RU-2018:0378-1: moderate: Recommended update for openssl-certs

sle-updates at lists.suse.com sle-updates at lists.suse.com
Tue Feb 6 13:08:29 MST 2018 

   SUSE Recommended Update: Recommended update for openssl-certs
______________________________________________________________________________

Announcement ID:    SUSE-RU-2018:0378-1
Rating:             moderate
References:         #1010996 #1071152 #1071390 
Affected Products:
                    SUSE Linux Enterprise Server 11-SP4
                    SUSE Linux Enterprise Server 11-SP3-LTSS
                    SUSE Linux Enterprise Point of Sale 11-SP3
______________________________________________________________________________

   An update that has three recommended fixes can now be
   installed.

Description:



   This update for openssl-certs fixes the following issues:

   The system SSL root certificate store was updated to Mozilla certificate
   version 2.22 from January 2018. (bsc#1071152 bsc#1071390 bsc#1010996)

   The old 1024 bit legacy CAs that were temporary left in to allow in-chain
   root certificates were removed as openssl is now able to handle them.

   Further changes coming from Mozilla:

   - New Root CAs added:

     * Amazon Root CA 1: (email protection, server auth)
     * Amazon Root CA 2: (email protection, server auth)
     * Amazon Root CA 3: (email protection, server auth)
     * Amazon Root CA 4: (email protection, server auth)
     * Certplus Root CA G1: (email protection, server auth)
     * Certplus Root CA G2: (email protection, server auth)
     * D-TRUST Root CA 3 2013: (email protection)
     * GDCA TrustAUTH R5 ROOT: (server auth)
     * Hellenic Academic and Research Institutions ECC RootCA 2015: (email
       protection, server auth)
     * Hellenic Academic and Research Institutions RootCA 2015: (email
       protection, server auth)
     * ISRG Root X1: (server auth)
     * LuxTrust Global Root 2: (server auth)
     * OpenTrust Root CA G1: (email protection, server auth)
     * OpenTrust Root CA G2: (email protection, server auth)
     * OpenTrust Root CA G3: (email protection, server auth)
     * SSL.com EV Root Certification Authority ECC: (server auth)
     * SSL.com EV Root Certification Authority RSA R2: (server auth)
     * SSL.com Root Certification Authority ECC: (email protection, server
       auth)
     * SSL.com Root Certification Authority RSA: (email protection, server
       auth)
     * Symantec Class 1 Public Primary Certification Authority - G4: (email
       protection)
     * Symantec Class 1 Public Primary Certification Authority - G6: (email
       protection)
     * Symantec Class 2 Public Primary Certification Authority - G4: (email
       protection)
     * Symantec Class 2 Public Primary Certification Authority - G6: (email
       protection)
     * TrustCor ECA-1: (email protection, server auth)
     * TrustCor RootCert CA-1: (email protection, server auth)
     * TrustCor RootCert CA-2: (email protection, server auth)
     * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth)

   - Removed root CAs:

     * AddTrust Public Services Root
     * AddTrust Public CA Root
     * AddTrust Qualified CA Root
     * ApplicationCA - Japanese Government
     * Buypass Class 2 CA 1
     * CA Disig Root R1
     * CA WoSign ECC Root
     * Certification Authority of WoSign G2
     * Certinomis - Autorité Racine
     * Certum Root CA
     * China Internet Network Information Center EV Certificates Root
     * CNNIC ROOT
     * Comodo Secure Services root
     * Comodo Trusted Services root
     * ComSign Secured CA
     * EBG Elektronik Sertifika Hizmet Sağlayıcısı
     * Equifax Secure CA
     * Equifax Secure eBusiness CA 1
     * Equifax Secure Global eBusiness CA
     * GeoTrust Global CA 2
     * IGC/A
     * Juur-SK
     * Microsec e-Szigno Root CA
     * PSCProcert
     * Root CA Generalitat Valenciana
     * RSA Security 2048 v3
     * Security Communication EV RootCA1
     * Sonera Class 1 Root CA
     * StartCom Certification Authority
     * StartCom Certification Authority G2
     * S-TRUST Authentication and Encryption Root CA 2005 PN
     * Swisscom Root CA 1
     * Swisscom Root EV CA 2
     * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
     * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
     * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
     * UTN USERFirst Hardware Root CA
     * UTN USERFirst Object Root CA
     * VeriSign Class 3 Secure Server CA - G2
     * Verisign Class 1 Public Primary Certification Authority
     * Verisign Class 2 Public Primary Certification Authority - G2
     * Verisign Class 3 Public Primary Certification Authority
     * WellsSecure Public Root Certificate Authority
     * Certification Authority of WoSign
     * WoSign China

   - Removed Code Signing rights from a lot of CAs (not listed here).

   - Removed Server Auth rights from:

     * AddTrust Low-Value Services Root
     * Camerfirma Chambers of Commerce Root
     * Camerfirma Global Chambersign Root
     * Swisscom Root CA 2


Patch Instructions:

   To install this SUSE Recommended Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP4:

      zypper in -t patch slessp4-openssl-certs-13457=1

   - SUSE Linux Enterprise Server 11-SP3-LTSS:

      zypper in -t patch slessp3-openssl-certs-13457=1

   - SUSE Linux Enterprise Point of Sale 11-SP3:

      zypper in -t patch sleposp3-openssl-certs-13457=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11-SP4 (noarch):

      openssl-certs-2.22-0.7.3.1

   - SUSE Linux Enterprise Server 11-SP3-LTSS (noarch):

      openssl-certs-2.22-0.7.3.1

   - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch):

      openssl-certs-2.22-0.7.3.1


References:

   https://bugzilla.suse.com/1010996
   https://bugzilla.suse.com/1071152
   https://bugzilla.suse.com/1071390

More information about the sle-updates mailing list