#63165 closed task (blessed) (fixed)
Update bundled root certificates for 6.9
| Reported by: | | Owned by: | |
|---|---|---|---|
| Milestone: | 6.9 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | has-patch |
| Focuses: | Cc: |
Description
This ticket is for updating the Root Certificates bundle included in WordPress Core for the 6.9 release cycle.
Previously:
Note: Some unexpired legacy 1024-bit certificates are included manually for backwards compatibility. See [35919].
Change History (106)
#2 follow-up: ↓ 3 
@
5 months ago
@desrosj should we backport this to branch 6.8? Worth considering fixing this in 6.8.2 as it is not something that should break anything.
#3 in reply to: ↑ 2 
@
5 months ago
- Keywords has-patch fixed-major added
Replying to audrasjb:
@desrosj should we backport this to branch 6.8?
I think that's reasonable, yes.
Ideally, we should keep these certificates files in sync for all branches currently eligible to receive security updates. But it doesn't make sense to backport every update. After the changes applied in #62811, the patches should be trivial to backport without any conflicts.
We need to just decide what frequency we're comfortable with. Syncing every time there's an update (though it is infrequent) is probably not worth the extra noise. It could also just be a checklist item for the Security Team when they decide to push a patch to older branches.
This ticket was mentioned in PR #9140 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #30
Version bump and changelog update for WordPress 4.7.30
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9141 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #31
Version bump and changelog update for WordPress 4.8.26
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9142 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #32
Version bump and changelog update for WordPress 4.9.27
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9143 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #33
Version bump and changelog update for WordPress 5.0.23
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9144 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #34
Version bump and changelog update for WordPress 5.1.20
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9145 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #35
Version bump and changelog update for WordPress 5.2.22
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9146 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #36
Version bump and changelog update for WordPress 5.3.19
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9147 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #37
Version bump and changelog update for WordPress 5.4.17
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9148 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #38
Version bump and changelog update for WordPress 5.5.16
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9149 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #39
Version bump and changelog update for WordPress 5.6.15
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9150 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #40
Version bump and changelog update for WordPress 5.7.13
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9151 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #41
Version bump and changelog update for WordPress 5.8.11
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9152 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #42
Version bump and changelog update for WordPress 5.9.11
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9153 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #43
Version bump and changelog update for WordPress 6.0.10
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9154 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #44
Version bump and changelog update for WordPress 6.1.8
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9155 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #45
Version bump and changelog update for WordPress 6.2.7
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9156 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #46
Version bump and changelog update for WordPress 6.3.6
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9157 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #47
Version bump and changelog update for WordPress 6.4.6
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9158 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #48
Version bump and changelog update for WordPress 6.5.7
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9159 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #49
Version bump and changelog update for WordPress 6.6.4
There are no planned security fixes for this release other than updating the bundled root certificates.
This ticket was mentioned in PR #9160 on WordPress/wordpress-develop by @peterwilsoncc.
5 months ago #50
Version bump and changelog update for WordPress 6.7.3
There are no planned security fixes for this release other than updating the bundled root certificates.
@peterwilsoncc commented on PR #9158:
5 months ago #51
Thanks for fixing this John. You are correct. I can't do so via the UI but consider your contribution approved.
@peterwilsoncc commented on PR #9158:
5 months ago #52
Thanks for fixing this John. You are correct. I can't do so via the UI but consider your contribution approved.
@peterwilsoncc commented on PR #9158:
5 months ago #53
Thanks for fixing this John. You are correct. I can't do so via the UI but consider your contribution approved.
@peterwilsoncc commented on PR #9159:
5 months ago #54
Thanks for fixing this John. You are correct. I can't do so via the UI but consider your contribution approved.
This ticket was mentioned in Slack in #core by audrasjb. View the logs.
4 months ago
@johnbillion commented on PR #9160:
3 months ago #56
@johnbillion commented on PR #9159:
3 months ago #57
@johnbillion commented on PR #9158:
3 months ago #58
@johnbillion commented on PR #9157:
3 months ago #59
@johnbillion commented on PR #9156:
3 months ago #60
@johnbillion commented on PR #9155:
3 months ago #61
@johnbillion commented on PR #9154:
3 months ago #62
@johnbillion commented on PR #9153:
3 months ago #63
@johnbillion commented on PR #9152:
3 months ago #64
@johnbillion commented on PR #9151:
3 months ago #65
@johnbillion commented on PR #9150:
3 months ago #66
@johnbillion commented on PR #9149:
3 months ago #67
@johnbillion commented on PR #9148:
3 months ago #68
@johnbillion commented on PR #9147:
3 months ago #69
@johnbillion commented on PR #9146:
3 months ago #70
@johnbillion commented on PR #9145:
3 months ago #71
@johnbillion commented on PR #9144:
3 months ago #72
@johnbillion commented on PR #9143:
3 months ago #73
@johnbillion commented on PR #9142:
3 months ago #74
@johnbillion commented on PR #9141:
3 months ago #75
@johnbillion commented on PR #9140:
3 months ago #76
This ticket was mentioned in Slack in #core by welcher. View the logs.
2 weeks ago
#79 
@
11 days ago
Noting that composer/ca-bundle has now been updated to version 1.5.9. https://github.com/composer/ca-bundle/releases/tag/1.5.9
#104 @
11 days ago
- Keywords fixed-major removed
- Resolution set to fixed
- Status changed from new to closed
Closing this as fixed. There was a release today of the package, so there should be no more prior tot he 6.9 release.
I've also gone and backported both the 1.5.8 and 1.5.9 updates all the way back to the 4.7 branch. These updates will be shipped if a security release is deemed necessary for each branch.
For future reference, backporting to WP <= 6.7 requires a bit of extra considerations for a few reasons:
- The
composer.jsonfile does not list thecomposer/ca-bundledependency - The
src/wp-includes/certificates/cacert.pemfile is not committed to version control.
Because of this, svn merge -c 60691,61146 '^/trunk' fails. This is what worked for me:
svn merge --accept working -c 60691,61146 '^/trunk' && svn revert composer.json.
The ca-bundle.crt files in each branch are identical, so we can assume there will only be conflicts in composer.json and cacert.pem. The --accept working uses the state of cacert.pem for the working copy, and then this just reverts the composer.json file manually.
In 60320: