CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Certifi is a curated collection of Root Certificates for validating the
trustworthiness of SSL certificates while verifying the identity of TLS
hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized
root certificates from GLOBALTRUST
. Certifi 2024.07.04 removes root
certificates from GLOBALTRUST
from the root store. These are in the
process of being removed from Mozilla’s trust store. GLOBALTRUST
’s root
certificates are being removed pursuant to an investigation which
identified “long-running and unresolved compliance issues.”
Author | Note |
---|---|
Priority reason: Use of bundled CA certificates is patched out in Ubuntu | |
mdeslaur | On focal and earlier, the python-pip package bundles python-certifi binaries when built. After updating python-certifi, a no-change rebuild of python-pip is required. On jammy and later, python-certifi is bundled in the python-pip package and needs to be patched. In Debian and Ubuntu, the python-certifi packages are patched to return the location of the system CA certs provided by the ca-certificates package. While the source and binary packages do contain the ca certificates, they are not used by anything. |
github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc
groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI
launchpad.net/bugs/cve/CVE-2024-39689
nvd.nist.gov/vuln/detail/CVE-2024-39689
security-tracker.debian.org/tracker/CVE-2024-39689
www.cve.org/CVERecord?id=CVE-2024-39689