Bug 1213662 (CVE-2023-37920)

Summary: VUL-0: CVE-2023-37920: python-certifi: Removal of e-Tugra root certificate
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: doreilly, jzerebecki, mcepl, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373426/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-37920:7.4:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2023-07-26 07:10:46 UTC 
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37920
https://bugzilla.redhat.com/show_bug.cgi?id=2226586
https://www.cve.org/CVERecord?id=CVE-2023-37920
https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909
https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
Comment 1 Gianluca Gabrielli 2023-07-26 07:38:09 UTC 
Please update to version 2023.07.22.

Affected packages:
- SUSE:SLE-12-SP1:Update/python-certifi
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-certifi
- SUSE:RES-7:Update/python-certifi
- SUSE:ALP:Source:Standard:1.0/python-certifi
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-certifi
- SUSE:RES-7:Update:Products:ManagerToolsBeta:Update/python-certifi
- SUSE:SLE-15:Update/python-certifi

@mcepl could you please take care of the non-Cloud and non-RES codestreams?
@cloud-bugs please take care of cloud* related codestreams
Comment 3 Jan Zerebecki 2023-08-02 07:36:15 UTC 
None of these are affected. This package is in all listed projects patched to use the system cert store. (The system cert store still needs to be fixed for a similar issue, but that is a different CVE.)
Comment 4 Marcus Meissner 2023-08-02 18:07:24 UTC 
closing