From c750e5b8a31ed5267150167ac68b5a5f89fc488b Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 15 Jun 2024 21:24:54 +0200 Subject: Typofix Pointed by Jonathan Wiltshire at https://bugs.debian.org/1073174#12 . Thanks! --- debian/changelog | 13 +++++++------ debian/patches/Fix-post-issuance-validation-logic.patch | 2 +- 2 files changed, 8 insertions(+), 7 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 9a0e819..febb402 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,11 +1,12 @@ lacme (0.8.2-1+deb12u1) bookworm; urgency=medium - * Backport upstream patches to fix post-issuance validation logic. - We avoid pining the intermediate certificates in the bundle and instead - validate the leaf certificate with intermediates supplied during issuance - as untrusted (used for chain building only). Only the root certificates - are used as trust anchor. Not pining intermediate certificates is in line - with Let's Encrypt's latest recommendations. + * Backport upstream patches to fix post-issuance validation logic. We avoid + pinning the intermediate certificates in the bundle and instead validate + the leaf certificate with intermediates supplied during issuance as + untrusted (used for chain building only). Only the root certificates are + used as trust anchor. + Not pinning intermediate certificates is in line with Let's Encrypt's + latest recommendations. Closes: #1072847 * Adjust test suite against current Let's Encrypt staging environment. * d/gbp.conf: Set 'debian-branch = debian/bookworm'. diff --git a/debian/patches/Fix-post-issuance-validation-logic.patch b/debian/patches/Fix-post-issuance-validation-logic.patch index 1453055..6296928 100644 --- a/debian/patches/Fix-post-issuance-validation-logic.patch +++ b/debian/patches/Fix-post-issuance-validation-logic.patch @@ -7,7 +7,7 @@ validate the leaf certificate with intermediates as untrusted (used for chain building only). Only the root certificates are used as trust anchor. -Not pining intermediate certificates anymore is in line with Let's +Not pinning intermediate certificates anymore is in line with Let's Encrypt's latest recommendations: Rotating the set of intermediates we issue from helps keep the -- cgit v1.2.3