Detections
Analytics

Debian dla-4485 : ca-certificates - security update

high Nessus Plugin ID 299779

Synopsis

The remote Debian host is missing a security-related update.

Description

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4485 advisory.

 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4485-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucaris February 20, 2026 https://wiki.debian.org/LTS
 - -------------------------------------------------------------------------

 Package : ca-certificates Version : 20230311+deb12u1~deb11u1 Debian Bug : 995432 1095913

 ca-certificates a package that contains the certificate authorities shipped with Mozilla's browser to allow SSL-based applications to check for the authenticity of SSL connections, was updated

 Mozilla certificate authority bundle was updated to version 2.60 The following certificate authorities were added (+):
 + AC RAIZ FNMT-RCM SERVIDORES SEGUROS + ANF Secure Server Root CA + Autoridad de Certificacion Firmaprofesional CIF A62634068 + Certainly Root E1 + Certainly Root R1 + Certum EC-384 CA + Certum Trusted Root CA + D-TRUST BR Root CA 1 2020 + D-TRUST EV Root CA 1 2020 + DigiCert TLS ECC P384 Root G5 + DigiCert TLS RSA4096 Root G5 + E-Tugra Global Root CA ECC v3 + E-Tugra Global Root CA RSA v3 + GlobalSign Root R46 + GlobalSign Root E46 + GLOBALTRUST 2020 + HARICA TLS ECC Root CA 2021 + HARICA TLS RSA Root CA 2021 + HiPKI Root CA - G1 + ISRG Root X2 + Security Communication ECC RootCA1 + Security Communication RootCA3 + Telia Root CA v2 + TunTrust Root CA + vTrus ECC Root CA + vTrus Root CA The following certificate authorities were removed (-):
 - Chambers of Commerce Root - 2008
 - Cybertrust Global Root (expired)
 - EC-ACC
 - GeoTrust Primary Certification Authority - G2
 - Global Chambersign Root - 2008
 - GlobalSign Root CA - R2 (expired)
 - Hellenic Academic and Research Institutions RootCA 2011
 - Network Solutions Certificate Authority
 - QuoVadis Root CA
 - Sonera Class 2 Root CA
 - Staat der Nederlanden EV Root CA (expired)
 - Staat der Nederlanden Root CA - G3
 - Trustis FPS Root CA
 - VeriSign Universal Root Certification Authority

 This update add also 2 Sectigo roots that are in active use and causing interop issues; these roots were included in the Mozilla bundle version 2.62:
 + Sectigo Public Server Authentication Root E46 + Sectigo Public Server Authentication Root R46

 The expired root certificate DST Root CA X3 was blacklisted.

 Please note that Debian can neither confirm nor deny whether the certificate authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance.
 Full responsibility to assess them belongs to the local system administrator.

 For Debian 11 bullseye, this problem has been fixed in version 20230311+deb12u1~deb11u1.

 We recommend that you upgrade your ca-certificates packages.

 For the detailed security status of ca-certificates please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/ca-certificates

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the ca-certificates packages.

See Also

http://www.nessus.org/u?c9932d96

https://packages.debian.org/source/bullseye/ca-certificates

Plugin Details

Severity: High

ID: 299779

File Name: debian_DLA-4485.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2/23/2026

Updated: 2/23/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ca-certificates, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:ca-certificates-udeb

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 2/20/2026

Vulnerability Publication Date: 2/20/2026