CVE-2023-37920
Published: 25 July 2023
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
Notes
Author | Note |
---|---|
Priority reason: python-certifi in Debian and Ubuntu is patched to use the system CA certificates |
|
mdeslaur | the python-pip package bundles python-certifi binaries when built. After updating python-certifi, a no-change rebuild of python-pip is required. |
sbeattie | python-certifi in Debian and Ubuntu is patched to use the system CA certificates |
mdeslaur | While the cacert.pem file is shipped in binary packages, it is not used in any way, the actual application is patched to use the system ca-certificates. There is a Debian bug filed to remove the cert store here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947287 |
seth-arnold | I'm marking this 'ignored', we don't wish to give the impression that this certificate bundle is supported. |
Priority
Status
Package | Release | Status |
---|---|---|
python-certifi Launchpad, Ubuntu, Debian |
bionic |
Ignored
(see notes)
|
focal |
Ignored
(see notes)
|
|
jammy |
Ignored
(see notes)
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was ignored [see notes])
|
|
mantic |
Ignored
(see notes)
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Released
(2023.07.22)
|
|
xenial |
Ignored
(see notes)
|
|
Patches: upstream: https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909 |
||
python-pip Launchpad, Ubuntu, Debian |
bionic |
Ignored
(see notes)
|
focal |
Ignored
(see notes)
|
|
jammy |
Ignored
(see notes)
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was ignored [see notes])
|
|
mantic |
Ignored
(see notes)
|
|
trusty |
Ignored
(see notes)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(see notes)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |