Bug 2180089 (CVE-2022-23491) - CVE-2022-23491 python-certifi: untrusted root certificates
Summary: CVE-2022-23491 python-certifi: untrusted root certificates
Keywords:
Status: NEW
Alias: CVE-2022-23491
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2180254 2180094 2180095 2180096 2180097 2180102 2180103 2180253 2180255 2180256 2180257 2180258
Blocks: 2179125
TreeView+ depends on / blocked
 
Reported: 2023-03-20 17:24 UTC by ybuenos
Modified: 2024-02-19 12:36 UTC (History)
49 users (show)

Fixed In Version: python-certifi 2022.12.07
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-certifi. Untrusted certificates from TrustCor have been found in the root certificates store.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8 0 None None None 2024-02-13 19:07:22 UTC

Description ybuenos 2023-03-20 17:24:19 UTC 
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Comment 1 ybuenos 2023-03-20 17:31:27 UTC 
Created mingw-python-certifi tracking bugs for this issue:

Affects: fedora-all [bug 2180096]


Created python-certifi tracking bugs for this issue:

Affects: epel-all [bug 2180095]
Affects: fedora-all [bug 2180094]
Affects: openstack-rdo [bug 2180097]
Note You need to log in before you can comment on or make changes to this bug.