Bugzilla – Bug 1206212
VUL-0: CVE-2022-23491: python-certifi,ca-certificates-mozilla: Dropping TrustCor root certificates
Last modified: 2024-06-13 15:45:02 UTC
CVE-2022-23491 Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23491 https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8 https://www.cve.org/CVERecord?id=CVE-2022-23491 http://www.cvedetails.com/cve/CVE-2022-23491/ https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ
@Assigning to cloud-bugs (bugowner of python-certifi): Contains the TrustCor Root CA cert (tracking as affected): - SUSE:SLE-15:Update/python-certifi 2018.1.18 - openSUSE:Factory/python-certifi 2022.9.24 - SUSE:SLE-12-SP1:Update/python-certifi 2018.4.16 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-certifi 2018.4.16 Does not contain it: - SUSE:RES-7:Update/python-certifi 2015.9.6.2 - SUSE:RES-7:Update:Products:ManagerToolsBeta:Update/python-certifi 2015.9.6.2 - SUSE:SLE-11-SP3:Update/python-certifi 2015.9.6.2 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-certifi 2017.4.17 -------------------------------- @Assigning to Marcus (bugowner of ca-certificates-mozilla): Contains the TrustCor Root CA cert (tracking as affected): - SUSE:SLE-12:Update/ca-certificates-mozilla 2.56 - SUSE:SLE-15-SP2:Update/ca-certificates-mozilla 2.56 - SUSE:SLE-15:Update/ca-certificates-mozilla 2.56 - openSUSE:Factory/ca-certificates-mozilla 2.56
This is an autogenerated message for OBS integration: This bug (1206212) was mentioned in https://build.opensuse.org/request/show/1044255 Factory / ca-certificates-mozilla
SUSE-SU-2022:4625-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 1206212,1206622 CVE References: JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): ca-certificates-mozilla-2.60-12.40.1 SUSE OpenStack Cloud 9 (src): ca-certificates-mozilla-2.60-12.40.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): ca-certificates-mozilla-2.60-12.40.1 SUSE Linux Enterprise Server 12-SP5 (src): ca-certificates-mozilla-2.60-12.40.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): ca-certificates-mozilla-2.60-12.40.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): ca-certificates-mozilla-2.60-12.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0003-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 1206212,1206622 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): ca-certificates-mozilla-2.60-150000.4.38.1 SUSE Linux Enterprise Server for SAP 15 (src): ca-certificates-mozilla-2.60-150000.4.38.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): ca-certificates-mozilla-2.60-150000.4.38.1 SUSE Linux Enterprise Server 15-LTSS (src): ca-certificates-mozilla-2.60-150000.4.38.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): ca-certificates-mozilla-2.60-150000.4.38.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): ca-certificates-mozilla-2.60-150000.4.38.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): ca-certificates-mozilla-2.60-150000.4.38.1 SUSE Enterprise Storage 6 (src): ca-certificates-mozilla-2.60-150000.4.38.1 SUSE CaaS Platform 4.0 (src): ca-certificates-mozilla-2.60-150000.4.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0037-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 1206212,1206622 CVE References: JIRA References: Sources used: openSUSE Leap Micro 5.3 (src): ca-certificates-mozilla-2.60-150200.27.1 openSUSE Leap Micro 5.2 (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 openSUSE Leap 15.4 (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Manager Server 4.2 (src): ca-certificates-mozilla-2.60-150200.27.1 SUSE Manager Server 4.1 (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Manager Retail Branch Server 4.2 (src): ca-certificates-mozilla-2.60-150200.27.1 SUSE Manager Retail Branch Server 4.1 (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Manager Proxy 4.2 (src): ca-certificates-mozilla-2.60-150200.27.1 SUSE Manager Proxy 4.1 (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Linux Enterprise Server for SAP 15-SP3 (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Linux Enterprise Server 15-SP3-LTSS (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): ca-certificates-mozilla-2.60-150200.27.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): ca-certificates-mozilla-2.60-150200.27.1 SUSE Linux Enterprise Micro 5.3 (src): ca-certificates-mozilla-2.60-150200.27.1 SUSE Linux Enterprise Micro 5.2 (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Linux Enterprise Micro 5.1 (src): ca-certificates-mozilla-2.60-150200.27.1 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Enterprise Storage 7.1 (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 SUSE Enterprise Storage 7 (src): ca-certificates-mozilla-2.60-150200.27.1, ca-certificates-mozilla-prebuilt-2.60-150200.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0139-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1206212 CVE References: CVE-2022-23491 JIRA References: Sources used: openSUSE Leap Micro 5.3 (src): python-certifi-2018.1.18-150000.3.3.1 openSUSE Leap Micro 5.2 (src): python-certifi-2018.1.18-150000.3.3.1 openSUSE Leap 15.4 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Manager Server 4.2 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Manager Retail Branch Server 4.2 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Manager Proxy 4.2 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Server for SAP 15-SP3 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Server 15-SP3-LTSS (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Micro 5.3 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Micro 5.2 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise Micro 5.1 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Enterprise Storage 7.1 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Enterprise Storage 7 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE Enterprise Storage 6 (src): python-certifi-2018.1.18-150000.3.3.1 SUSE CaaS Platform 4.0 (src): python-certifi-2018.1.18-150000.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE:SLE-12-SP1:Update python-certifi only regers to the system ca bundle, not its own. e.g. the one provided by ca-certificates-mozilla.
same goes for the openstack based python-certifi ones. (even the fix for SLE15 was not needed.)