GHSA-xqr8-7jwr-rhp7
- Source
- https://github.com/advisories/GHSA-xqr8-7jwr-rhp7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-xqr8-7jwr-rhp7/GHSA-xqr8-7jwr-rhp7.json
- Aliases
- Published
- 2023-07-25T14:43:53Z
- Modified
- 2024-02-16T08:23:44.896557Z
- Summary
- Removal of e-Tugra root certificate
- Details
-
Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store.
e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.
- References
-
- https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
- https://nvd.nist.gov/vuln/detail/CVE-2023-37920
- https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909
- https://github.com/certifi/python-certifi
- https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2023-135.yaml
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG
Affected packages
PyPI / certifi
Package
- Name
- certifi
Affected versions
2015.*
2015.04.28
2015.9.6
2015.9.6.1
2015.9.6.2
2015.11.20
2015.11.20.1
2016.*
2016.2.28
2016.8.2
2016.8.8
2016.8.31
2016.9.26
2017.*
2017.1.23
2017.4.17
2017.7.27
2017.7.27.1
2017.11.5
2018.*
2018.1.18
2018.4.16
2018.8.13
2018.8.24
2018.10.15
2018.11.29
2019.*
2019.3.9
2019.6.16
2019.9.11
2019.11.28
2020.*
2020.4.5
2020.4.5.1
2020.4.5.2
2020.6.20
2020.11.8
2020.12.5
2021.*
2021.5.30
2021.10.8
2022.*
2022.5.18
2022.5.18.1
2022.6.15
2022.6.15.1
2022.6.15.2
2022.9.14
2022.9.24
2022.12.7
2023.*
2023.5.7