Recommended update for openssl-certs
Announcement ID: | SUSE-RU-2018:0378-1 |
---|---|
Rating: | moderate |
References: | |
Affected Products: |
|
An update that has three fixes can now be installed.
Description:
This update for openssl-certs fixes the following issues:
The system SSL root certificate store was updated to Mozilla certificate version 2.22 from January 2018. (bsc#1071152 bsc#1071390 bsc#1010996)
The old 1024 bit legacy CAs that were temporary left in to allow in-chain root certificates were removed as openssl is now able to handle them.
Further changes coming from Mozilla:
-
New Root CAs added:
-
Amazon Root CA 1: (email protection, server auth)
- Amazon Root CA 2: (email protection, server auth)
- Amazon Root CA 3: (email protection, server auth)
- Amazon Root CA 4: (email protection, server auth)
- Certplus Root CA G1: (email protection, server auth)
- Certplus Root CA G2: (email protection, server auth)
- D-TRUST Root CA 3 2013: (email protection)
- GDCA TrustAUTH R5 ROOT: (server auth)
- Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth)
- Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth)
- ISRG Root X1: (server auth)
- LuxTrust Global Root 2: (server auth)
- OpenTrust Root CA G1: (email protection, server auth)
- OpenTrust Root CA G2: (email protection, server auth)
- OpenTrust Root CA G3: (email protection, server auth)
- SSL.com EV Root Certification Authority ECC: (server auth)
- SSL.com EV Root Certification Authority RSA R2: (server auth)
- SSL.com Root Certification Authority ECC: (email protection, server auth)
- SSL.com Root Certification Authority RSA: (email protection, server auth)
- Symantec Class 1 Public Primary Certification Authority - G4: (email protection)
- Symantec Class 1 Public Primary Certification Authority - G6: (email protection)
- Symantec Class 2 Public Primary Certification Authority - G4: (email protection)
- Symantec Class 2 Public Primary Certification Authority - G6: (email protection)
- TrustCor ECA-1: (email protection, server auth)
- TrustCor RootCert CA-1: (email protection, server auth)
- TrustCor RootCert CA-2: (email protection, server auth)
-
TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth)
-
Removed root CAs:
-
AddTrust Public Services Root
- AddTrust Public CA Root
- AddTrust Qualified CA Root
- ApplicationCA - Japanese Government
- Buypass Class 2 CA 1
- CA Disig Root R1
- CA WoSign ECC Root
- Certification Authority of WoSign G2
- Certinomis - Autorité Racine
- Certum Root CA
- China Internet Network Information Center EV Certificates Root
- CNNIC ROOT
- Comodo Secure Services root
- Comodo Trusted Services root
- ComSign Secured CA
- EBG Elektronik Sertifika Hizmet Sağlayıcısı
- Equifax Secure CA
- Equifax Secure eBusiness CA 1
- Equifax Secure Global eBusiness CA
- GeoTrust Global CA 2
- IGC/A
- Juur-SK
- Microsec e-Szigno Root CA
- PSCProcert
- Root CA Generalitat Valenciana
- RSA Security 2048 v3
- Security Communication EV RootCA1
- Sonera Class 1 Root CA
- StartCom Certification Authority
- StartCom Certification Authority G2
- S-TRUST Authentication and Encryption Root CA 2005 PN
- Swisscom Root CA 1
- Swisscom Root EV CA 2
- TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
- TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- UTN USERFirst Hardware Root CA
- UTN USERFirst Object Root CA
- VeriSign Class 3 Secure Server CA - G2
- Verisign Class 1 Public Primary Certification Authority
- Verisign Class 2 Public Primary Certification Authority - G2
- Verisign Class 3 Public Primary Certification Authority
- WellsSecure Public Root Certificate Authority
- Certification Authority of WoSign
-
WoSign China
-
Removed Code Signing rights from a lot of CAs (not listed here).
-
Removed Server Auth rights from:
-
AddTrust Low-Value Services Root
- Camerfirma Chambers of Commerce Root
- Camerfirma Global Chambersign Root
- Swisscom Root CA 2
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Point of Service 11 SP3
zypper in -t patch sleposp3-openssl-certs-13457=1
-
SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3
zypper in -t patch slessp3-openssl-certs-13457=1
-
SUSE Linux Enterprise Server 11 SP4
zypper in -t patch slessp4-openssl-certs-13457=1
-
SLES for SAP Applications 11-SP4
zypper in -t patch slessp4-openssl-certs-13457=1
Package List:
-
SUSE Linux Enterprise Point of Service 11 SP3 (noarch)
- openssl-certs-2.22-0.7.3.1
-
SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (noarch)
- openssl-certs-2.22-0.7.3.1
-
SUSE Linux Enterprise Server 11 SP4 (noarch)
- openssl-certs-2.22-0.7.3.1
-
SLES for SAP Applications 11-SP4 (noarch)
- openssl-certs-2.22-0.7.3.1