Bug#718471: iceweasel: Root Verisign cert allowed to sign code in ff but not iceweasel

[Thijs Kinkhorst]

Hi Mike,

On Thu, August 1, 2013 06:26, Mike Hommey wrote:
> Version: 2:3.14.6-1

I'm having trouble locating this version...

> On Wed, Jul 31, 2013 at 11:05:08PM -0500, Karl O. Pinc wrote:
>> Package: iceweasel
>> Version: 17.0.7esr-1~deb7u1
>> Severity: important
>>
>> Hi,
>>
>> I'm finding that the root cert "CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5" is not authorized to sign java code.
>> Specifically, I'm running icetea and I get a cert popup when trying to
>> run java code signed by a cert signed by the root cert above.
>>
>> Mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=602107 was
>> supposed to have fixed this in FF 16, yet the problem is still in
>> Iceweasel in Wheezy which is v17.
>>
>> I've given this an "important" severity since it seems a security
>> problem when the user has to tell the browser to run untrusted code,
>> and I imagine that the typical work-around is that the user tells the
>> browser to trust all code coming from the site they are visiting.  (In
>> my case I get this when trying to use some functionality provided by a
>> bank.)  If you do not consider it a security problem -- if the problem
>> will not be fixed in Wheezy -- I'd appreciate suggestions as to how to
>> handle this problem long-term in Wheezy.  It's really painful to check
>> the cert hashes for every java applet I need to run every time I need
>> to run them.
>
> Let's see with the security team. What's our policy on CA updates for
> stable?

I'm not opposed to that but I don't see it as DSA material: there's no
acute security problem with the certificate as it is now (it's not
compromised or anything), it's that its reach is not as wide as it could
be.

So I'm inclined to advise to fix this issue through a stable point update
bugfix.

Of course as usual we can fold the update in a next DSA for nss if such
DSA appears sooner than the point release.


Cheers,
Thijs