Bug 2296020 (CVE-2024-39689) - CVE-2024-39689 python-certifi: Remove root certificates from `GLOBALTRUST` from the root store
Summary: CVE-2024-39689 python-certifi: Remove root certificates from `GLOBALTRUST` fr...
Keywords:
Status: NEW
Alias: CVE-2024-39689
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2296071 2296072
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-05 19:41 UTC by OSIDB Bzimport
Modified: 2025-05-10 08:27 UTC (History)
59 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-07-05 19:41:43 UTC 
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
Comment 1 Sandipan Roy 2024-10-19 13:20:52 UTC 
This issue can be mitigated by adding the root CAs in question to /etc/pki/ca-trust/source/blacklist on RHEL 8 or /etc/pki/ca-trust/source/blocklist on RHEL 9 and running update-ca-trust.

See also https://www.redhat.com/sysadmin/configure-ca-trust-list.
Note You need to log in before you can comment on or make changes to this bug.