Bugzilla – Bug 1227519
VUL-0: CVE-2024-39689: python-certifi: remove root certificates from `GLOBALTRUST` from the root store
Last modified: 2024-07-09 08:21:34 UTC
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues." References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39689 https://www.cve.org/CVERecord?id=CVE-2024-39689 https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463 https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI https://bugzilla.redhat.com/show_bug.cgi?id=2296020
This issue doesn't affect our package because these packages uses the certificates from the system (/etc/ssl/ca-bundle.pem). The cacert.pem provided by upstream is removed from the final package. So these codestreams are not affected: - SUSE:ALP:Source:Standard:1.0/python-certifi - SUSE:SLE-15-SP4:Update/python-certifi I've created an update request for Factory and SLFO, even when these packages are not affected either.
This is an autogenerated message for OBS integration: This bug (1227519) was mentioned in https://build.opensuse.org/request/show/1186314 Factory / python-certifi
All done, closing.