CVE-2024-39689

2024-07-0500:00:00

ubuntu.com

certifi update

root certificates

ssl certificates

trustworthiness

globaltrust

mozilla

compliance issues

python-pip

python-certifi

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

JSON

Certifi is a curated collection of Root Certificates for validating the
trustworthiness of SSL certificates while verifying the identity of TLS
hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized
root certificates from GLOBALTRUST. Certifi 2024.07.04 removes root
certificates from GLOBALTRUST from the root store. These are in the
process of being removed from Mozilla’s trust store. GLOBALTRUST’s root
certificates are being removed pursuant to an investigation which
identified “long-running and unresolved compliance issues.”

Notes

Author	Note
	Priority reason: Use of bundled CA certificates is patched out in Ubuntu
mdeslaur	On focal and earlier, the python-pip package bundles python-certifi binaries when built. After updating python-certifi, a no-change rebuild of python-pip is required. On jammy and later, python-certifi is bundled in the python-pip package and needs to be patched. In Debian and Ubuntu, the python-certifi packages are patched to return the location of the system CA certs provided by the ca-certificates package. While the source and binary packages do contain the ca certificates, they are not used by anything.

Author

Note

Priority reason: Use of bundled CA certificates is patched out in Ubuntu

mdeslaur

On focal and earlier, the python-pip package bundles python-certifi binaries when built. After updating python-certifi, a no-change rebuild of python-pip is required. On jammy and later, python-certifi is bundled in the python-pip package and needs to be patched. In Debian and Ubuntu, the python-certifi packages are patched to return the location of the system CA certs provided by the ca-certificates package. While the source and binary packages do contain the ca certificates, they are not used by anything.