Bugzilla – Bug 1213662
VUL-0: CVE-2023-37920: python-certifi: Removal of e-Tugra root certificate
Last modified: 2023-08-02 18:07:24 UTC
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7 https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-37920 https://bugzilla.redhat.com/show_bug.cgi?id=2226586 https://www.cve.org/CVERecord?id=CVE-2023-37920 https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909 https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7 https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
Please update to version 2023.07.22. Affected packages: - SUSE:SLE-12-SP1:Update/python-certifi - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-certifi - SUSE:RES-7:Update/python-certifi - SUSE:ALP:Source:Standard:1.0/python-certifi - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-certifi - SUSE:RES-7:Update:Products:ManagerToolsBeta:Update/python-certifi - SUSE:SLE-15:Update/python-certifi @mcepl could you please take care of the non-Cloud and non-RES codestreams? @cloud-bugs please take care of cloud* related codestreams
None of these are affected. This package is in all listed projects patched to use the system cert store. (The system cert store still needs to be fixed for a similar issue, but that is a different CVE.)
closing