Mozilla::CA - latest cert distrusts Globaltrust 2000

[sparrow2009]

Does any outdated version of Mozilla::CA qualify as a vulnerability in the sense of a CPAN Security Advisory?

[briandfoy]

How do you mean?

[stigtsp]

Hi @sparrow2009, I'm a bit on the fence about this.

Code using Mozilla::CA instead of an updated cert store (such as regularly updated cacert from your distro) could be argued to introduce a weakness, if Mozilla::CA is outdated, maybe. But I don't think old versions of Mozilla::CA should automatically be set as vulnerable.

... but I do agree that this is a problem, and there has been some effort to remove dependencies on Mozilla::CA.

[briandfoy]

Note that this project is not a primary source of security vulnerabilities. If a reputable source has registered a vulnerability or the developer has acknowledged a vulnerability, we can include it. If you think something is a vulnerability, you should report it through established channels so competent people (not me) can review and expand it.

For example, in https://metacpan.org/dist/Mozilla-CA/changes I see that some certificates have been removed. If those expired normally, that's fine. If they were removed because they were compromised, it might be useful to have a report for that. I don't know why these certs were removed, though. Someone in that world might be able to speak to that.

[n1vux]

If they were removed because they were compromised

Some root certs have been revoked for cause over the decades. IDK how many were compromised per se vs revoked because of inappropriate behavior by the CA issuing certs with that root cert (e.g., not enforcing domain-ownership on requests / not rejecting requests for cert for mail.google.com from fraudsters; working with malware vendors)

First one I spot in the linked CHANGES (above) that's certain is 20230801 TrustCor; failure to remove trust from that root could be a Security Audit Finding.

However, the currently latest 20240730 change setting distrust-after GLOBALTRUST 2020 (which Mozilla-CA removed rather than setting harsh flags with date) appears to be a case of the community distrusting the CA after a date; using a CA root set that had not been updated to limit or remove that root would be an Security Audit Finding.

So failure to update to latest would be currently reportable today, if we want to go there. But there's no CVE number for Mozilla decision to distrust a Root CA cert or whole Root CA, if our metadata requires such.

[briandfoy]

We don't need a CVE, but I would like to know why we report a version as insecure. The sort of information that @n1vux provides is the sort of thing that we'd put in the description. We'd also want to include any references about those decisions so people can evaluate our report.

[briandfoy]

It turns out that CVE-2024-39689 covers this, so I'm adding Mozilla::CA.

Thanks for pointing out that we should pay attention to this module. Even if we decide against something, it's always better to check. Suggest away when you find other gaps. This is especially important when the string "perl" or "cpan" would not appear in the vulnerability report.

[sparrow2009]

Sorry for being unresponsive. I should have never opened this issue only a few business hours away from the (European) weekend. And thanks to all being responsive filling in the gap in the meantime and elaborating on this.

As I understand from what @briandfoy said so far concerning the scope of this project the following might be out of scope (and that is perfectly fine): Taking "CPAN Security Advisory" literally could also mean including any new certificates added to the store as advisory, as this also touches security from the opposite perspective (trust and distrust are actually describing the same thing). That Linux distros to my knowledge usually distribute all updates to their CA trust store as security update, would underpin that view.

Thank you for taking your time.

[briandfoy]

@sparrow2009 Nah, I say open it even if it's incomplete. That way you don't forget about it. I'm always going to try to respond as soon as I see it just so people know I saw it, even if I can't do anything immediately. Eventually we'll all pitch in and get there somehow, just like we did. Thanks,