Discussion:
Wazuh Security Alert
(too old to reply)
Simon Bates
2024-07-22 22:40:02 UTC
Permalink
I recently started using Wazuh to manage the security of my servers and
Linux desktops.

I have a Debian server that is raising the following alert:

package.name: python3-certifi

package.version: 2022.9.24-1

vulnerability.id: CVE-2023-37920

https://nvd.nist.gov/vuln/detail/CVE-2023-37920

https://tracker.debian.org/pkg/python-certifi


I confirmed this on the machine in question and got the resulting output:
python3-certifi/stable,now 2022.9.24-1 all [installed,automatic]


Running "sudo apt update -y; sudo apt upgrade -y", does not seem to
update the package to the non-vulnerable version 2023.07.22.


Is there anything I can do to resolve the issue, is this not an issue,
or do I need to wait for Debian to patch the package?
Todd Zullinger
2024-07-22 23:30:01 UTC
Permalink
Post by Simon Bates
I recently started using Wazuh to manage the security of my servers and
Linux desktops.
package.name: python3-certifi
package.version: 2022.9.24-1
vulnerability.id: CVE-2023-37920
https://nvd.nist.gov/vuln/detail/CVE-2023-37920
https://tracker.debian.org/pkg/python-certifi
python3-certifi/stable,now 2022.9.24-1 all [installed,automatic]
Running "sudo apt update -y; sudo apt upgrade -y", does not seem to update
the package to the non-vulnerable version 2023.07.22.
Is there anything I can do to resolve the issue, is this not an issue, or do
I need to wait for Debian to patch the package?
For this particular CVE (and those which are similar). The
security tracker¹ notes:

Debian's python-certifi is patched to return the
location of Debian-provided CA certificates

The ca-certificates package is what would need to be
updated. It looks like that's not done in bookworm yet, but
has been done for trixie and sid.

I don't know what the reason is for not updating the package
in bookworm may be, so I can't be of much more help,
unfortunately.

This seems to indicate that the Wazuh tool isn't reporting
the most useful details, which is a common problem for
distributions which backport patches rather than just update
to the latest upstream version.

Though the tool could be trying to use the Debian Security
tracker to do the right thing and it would still report this
issue since Debian seems to not mark it as a non-issue for
python-certifi.

Take all of this with a grain of salt too, as I'm still
quite new to Debian and I may be misunderstanding the
intended use of the security tracker (along with many other
things). :)

¹ https://security-tracker.debian.org/tracker/CVE-2023-37920
--
Todd
George at Clug
2024-07-23 00:30:01 UTC
Permalink
I guess this is the link as you comments in your post:

https://security-tracker.debian.org/tracker/CVE-2023-37920
Name: CVE-2023-37920
Description: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
Package: python-certifi
Fixed Version: (unfixed)
Urgency: unimportant

Notes
https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
Debian's python-certifi is patched to return the location of Debian-provided CA certificates
Post by Todd Zullinger
Post by Simon Bates
I recently started using Wazuh to manage the security of my servers and
Linux desktops.
package.name: python3-certifi
package.version: 2022.9.24-1
vulnerability.id: CVE-2023-37920
https://nvd.nist.gov/vuln/detail/CVE-2023-37920
https://tracker.debian.org/pkg/python-certifi
python3-certifi/stable,now 2022.9.24-1 all [installed,automatic]
Running "sudo apt update -y; sudo apt upgrade -y", does not seem to update
the package to the non-vulnerable version 2023.07.22.
Is there anything I can do to resolve the issue, is this not an issue, or do
I need to wait for Debian to patch the package?
For this particular CVE (and those which are similar). The
Debian's python-certifi is patched to return the
location of Debian-provided CA certificates
The ca-certificates package is what would need to be
updated. It looks like that's not done in bookworm yet, but
has been done for trixie and sid.
I don't know what the reason is for not updating the package
in bookworm may be, so I can't be of much more help,
unfortunately.
This seems to indicate that the Wazuh tool isn't reporting
the most useful details, which is a common problem for
distributions which backport patches rather than just update
to the latest upstream version.
Though the tool could be trying to use the Debian Security
tracker to do the right thing and it would still report this
issue since Debian seems to not mark it as a non-issue for
python-certifi.
Take all of this with a grain of salt too, as I'm still
quite new to Debian and I may be misunderstanding the
intended use of the security tracker (along with many other
things). :)
¹ https://security-tracker.debian.org/tracker/CVE-2023-37920
--
Todd
Loading...