Bug 2180089 (CVE-2022-23491)

Summary: CVE-2022-23491 python-certifi: untrusted root certificates
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, amctagga, anthomas, aoconnor, bbuckingham, bcourt, bniver, brking, cwelton, dranck, eglynn, ehelms, epacific, flucifre, ggainey, gmeno, gtanzill, haoli, hkataria, jajackso, jcammara, jhardy, jjoyce, jmitchel, jneedle, jobarker, jschluet, jsherril, juwatts, kdreyer, kegrant, koliveir, kshier, lbrazdil, lhh, lsvaty, lzap, mabashia, manissin, mbenjamin, mburns, mgarciac, mhackett, mhulan, mminar, myarboro, nmoumoul, omaciel, orabin, osousa, pbraun, pcreech, pgrist, rbiba, rchan, rhos-maint, shvarugh, simaishi, smallamp, smcdonal, sostapov, spower, sskracic, stcannon, teagle, tfister, thavo, tpfromme, vereddy, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-certifi 2022.12.07 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-certifi. Untrusted certificates from TrustCor have been found in the root certificates store.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2180094, 2180095, 2180096, 2180097, 2180102, 2180103, 2180253, 2180254, 2180255, 2180256, 2180257, 2180258    
Bug Blocks: 2179125    

Description ybuenos 2023-03-20 17:24:19 UTC 
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Comment 1 ybuenos 2023-03-20 17:31:27 UTC 
Created mingw-python-certifi tracking bugs for this issue:

Affects: fedora-all [bug 2180096]


Created python-certifi tracking bugs for this issue:

Affects: epel-all [bug 2180095]
Affects: fedora-all [bug 2180094]
Affects: openstack-rdo [bug 2180097]
Comment 10 errata-xmlrpc 2025-06-26 12:12:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 8.1

Via RHSA-2025:9775 https://access.redhat.com/errata/RHSA-2025:9775