Bug 1227519 (CVE-2024-39689)

Summary: VUL-0: CVE-2024-39689: python-certifi: remove root certificates from `GLOBALTRUST` from the root store
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: andrea.mattiazzo, daniel.garcia, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412941/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-39689:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-08 14:01:54 UTC 
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39689
https://www.cve.org/CVERecord?id=CVE-2024-39689
https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463
https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI
https://bugzilla.redhat.com/show_bug.cgi?id=2296020
Comment 2 Daniel Garcia 2024-07-09 07:28:35 UTC 
This issue doesn't affect our package because these packages uses the certificates from the system (/etc/ssl/ca-bundle.pem). The cacert.pem provided by upstream is removed from the final package.

So these codestreams are not affected:
 - SUSE:ALP:Source:Standard:1.0/python-certifi
 - SUSE:SLE-15-SP4:Update/python-certifi

I've created an update request for Factory and SLFO, even when these packages are not affected either.
Comment 3 OBSbugzilla Bot 2024-07-09 07:55:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1227519) was mentioned in
https://build.opensuse.org/request/show/1186314 Factory / python-certifi
Comment 5 Andrea Mattiazzo 2024-07-09 08:21:34 UTC 
All done, closing.