CVE-2024-39689
Publication date 5 July 2024
Last updated 24 July 2024
Ubuntu priority
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
Read the notes from the security team
Why is this CVE negligible priority?
Use of bundled CA certificates is patched out in Ubuntu
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-certifi | 24.04 LTS noble | Ignored see notes |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| python-pip | 24.04 LTS noble | Ignored see notes |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| 14.04 LTS trusty | Ignored see notes |
Notes
mdeslaur
On focal and earlier, the python-pip package bundles python-certifi binaries when built. After updating python-certifi, a no-change rebuild of python-pip is required. On jammy and later, python-certifi is bundled in the python-pip package and needs to be patched. In Debian and Ubuntu, the python-certifi packages are patched to return the location of the system CA certs provided by the ca-certificates package. While the source and binary packages do contain the ca certificates, they are not used by anything.