Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://follow.agwa.name/objects/c5cea055-985e-481c-8125-79fa86c44640">Andrew Ayer (agwa@follow.agwa.name)'s status on Wednesday, 08-Jan-2025 21:57:18 JST</a><a href="https://follow.agwa.name/users/agwa" title="agwa@follow.agwa.name"><img src="https://gnusocial.jp/avatar/140092-48-20230626194014.webp" width="48" height="48" alt="Andrew Ayer" style="position: absolute; left: 0; top: 0;">Andrew Ayer</a></section><article>Yesterday's Alpine Linux 3.21.1 release prematurely removed Entrust from the trust store, breaking TLS connections to servers using Entrust certs. They should have waited until Jan 2, 2026. Unfortunately, they vendor curl's <a href="http://mk-ca-bundle.pl">mk-ca-bundle.pl</a> and didn't update it after curl fixed this bug. <a href="https://gitlab.alpinelinux.org/alpine/ca-certificates/-/issues/6">https://gitlab.alpinelinux.org/alpine/ca-certificates/-/issues/6</a><br><br>Alpine is a popular base image for containers so this has the potential to be disruptive.<br><br>Background: <a href="https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended">https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended</a></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4334687#notice-8474035">In conversation</a><time datetime="2025-01-08T21:57:18+09:00" title="Wednesday, 08-Jan-2025 21:57:18 JST">about 22 days ago</time> <span>from <span><a href="https://follow.agwa.name/objects/c5cea055-985e-481c-8125-79fa86c44640" rel="external" title="Sent from follow.agwa.name via ActivityPub">follow.agwa.name</a></span></span><a href="https://follow.agwa.name/objects/c5cea055-985e-481c-8125-79fa86c44640">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: sslmate.com</div><h5><a href="https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended">The Entrust Distrust Will Be More Disruptive Than Intended</a></h5><div> from <span>@SSLMate</span></div></header><div>Non-browser clients don't properly handle the Distrust After date</div><footer></footer></article></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/3867421">Untitled attachment</a></label><br></li><li><article><header><div>Domain not in remote thumbnail source whitelist: gitlab.alpinelinux.org</div><h5><a href="https://gitlab.alpinelinux.org/alpine/ca-certificates/-/issues/6">ca-certificates bundle incorrectly excludes root CAs with CKA_NSS_SERVER_DISTRUST_AFTER (#6) · Issues · alpine / ca-certificates · GitLab</a></h5><div></div></header><div>The build script in ca-certificates incorrectly omits CA roots with a "DistrustAfter" attribute. See this fix in curl: https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c#diff-672849fde302af412196cdff759aa84b274074a01561227ee4f8c102c1ee346dL556...</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Wednesday, 08-Jan-2025 21:57:18 JST Andrew Ayer
Yesterday's Alpine Linux 3.21.1 release prematurely removed Entrust from the trust store, breaking TLS connections to servers using Entrust certs. They should have waited until Jan 2, 2026. Unfortunately, they vendor curl's mk-ca-bundle.pl and didn't update it after curl fixed this bug. https://gitlab.alpinelinux.org/alpine/ca-certificates/-/issues/6

Alpine is a popular base image for containers so this has the potential to be disruptive.

Background: https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended
In conversationabout 22 days ago from follow.agwa.namepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: sslmate.com
  The Entrust Distrust Will Be More Disruptive Than Intended
  from @SSLMate
  Non-browser clients don't properly handle the Distrust After date
2. Untitled attachment
3. Domain not in remote thumbnail source whitelist: gitlab.alpinelinux.org
  ca-certificates bundle incorrectly excludes root CAs with CKA_NSS_SERVER_DISTRUST_AFTER (#6) · Issues · alpine / ca-certificates · GitLab
  The build script in ca-certificates incorrectly omits CA roots with a "DistrustAfter" attribute. See this fix in curl: https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c#diff-672849fde302af412196cdff759aa84b274074a01561227ee4f8c102c1ee346dL556...

Public

Embed Notice

HTML Code

Corresponding Notice