Описание
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
A flaw was found in python-certifi. Untrusted certificates from TrustCor have been found in the root certificates store.
Отчет
Satellite is not vulnerable to this flaw as it ships a build of python-certifi that is patched to use system certs from /etc/pki/tls/certs/ca-bundle.crt.Redhat has rated this CVE as moderate because most redhat products use system-wide root CA certificate bundle instead of certifi bundle.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | python-certifi | Affected | ||
| Red Hat Ceph Storage 4 | python-certifi | Affected | ||
| Red Hat Ceph Storage 5 | python-certifi | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | python-certifi | Out of support scope | ||
| Red Hat Openshift Container Storage 4 | python-certifi | Out of support scope | ||
| Red Hat Openshift Data Foundation 4 | python-certifi | Affected | ||
| Red Hat OpenStack Platform 13 (Queens) | python-certifi | Out of support scope | ||
| Red Hat OpenStack Platform 16.1 | python-certifi | Not affected | ||
| Red Hat OpenStack Platform 16.2 | python-certifi | Not affected | ||
| Red Hat OpenStack Platform 17.0 | python-certifi | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Certifi is a curated collection of Root Certificates for validating th ...
EPSS
7.5 High
CVSS3