I guess this is the link as you comments in your post: https://security-tracker.debian.org/tracker/CVE-2023-37920 Name: CVE-2023-37920 Description: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. Package: python-certifi Fixed Version: (unfixed) Urgency: unimportant
Notes https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7 Debian's python-certifi is patched to return the location of Debian-provided CA certificates On Tuesday, 23-07-2024 at 09:14 Todd Zullinger wrote: > Simon Bates wrote: > > I recently started using Wazuh to manage the security of my servers and > > Linux desktops. > > > > I have a Debian server that is raising the following alert: > > > > package.name: python3-certifi > > > > package.version: 2022.9.24-1 > > > > vulnerability.id: CVE-2023-37920 > > > > https://nvd.nist.gov/vuln/detail/CVE-2023-37920 > > > > https://tracker.debian.org/pkg/python-certifi > > > > I confirmed this on the machine in question and got the resulting output: > > python3-certifi/stable,now 2022.9.24-1 all [installed,automatic] > > > > Running "sudo apt update -y; sudo apt upgrade -y", does not seem to update > > the package to the non-vulnerable version 2023.07.22. > > > > Is there anything I can do to resolve the issue, is this not an issue, or do > > I need to wait for Debian to patch the package? > > For this particular CVE (and those which are similar). The > security tracker¹ notes: > > Debian's python-certifi is patched to return the > location of Debian-provided CA certificates > > The ca-certificates package is what would need to be > updated. It looks like that's not done in bookworm yet, but > has been done for trixie and sid. > > I don't know what the reason is for not updating the package > in bookworm may be, so I can't be of much more help, > unfortunately. > > This seems to indicate that the Wazuh tool isn't reporting > the most useful details, which is a common problem for > distributions which backport patches rather than just update > to the latest upstream version. > > Though the tool could be trying to use the Debian Security > tracker to do the right thing and it would still report this > issue since Debian seems to not mark it as a non-issue for > python-certifi. > > Take all of this with a grain of salt too, as I'm still > quite new to Debian and I may be misunderstanding the > intended use of the security tracker (along with many other > things). :) > > ¹ https://security-tracker.debian.org/tracker/CVE-2023-37920 > > -- > Todd >
