High Severity Vulnerability: CVE-2024-39689 in Alpine 3.20

[beardo-sid]

Getting the following issue when using alpine 3.20.1:
Vulnerability Overview

CVE: CVE-2024-39689
Vulnerable Library: certifi-2023.7.22-py3-none-any.whl
Python Package: Certifi, used for providing Mozilla's CA Bundle.
Publish Date: July 5, 2024
CVSS 3.0 Base Score: 7.5 (High)

Vulnerability Description :
Certifi is a widely used library that provides a curated collection of Root Certificates to validate the trustworthiness of SSL certificates and verify the identity of TLS hosts. The affected version, certifi-2023.7.22-py3-none-any.whl, includes root certificates from GLOBALTRUST, which are now recognized as untrustworthy due to "long-running and unresolved compliance issues." These certificates are in the process of being removed from Mozilla's trust store. The newer version, certifi-2024.07.04, has removed these problematic root certificates.

Is there a plan to fix VA?

[fossdd]

Alpine Linux doesn't use the bundled certificates, instead it relies on system certificates from ca-certificates-bundle. Alpine Linux is unaffected of this CVE.

Also have a look at security.alpinelinux.org where the details of this CVE are listed: https://security.alpinelinux.org/vuln/CVE-2024-39689.

[Subrhamanya]

@fossdd I can see Certifi is getting pulled when we install python 3.

Do you have any say here??

[Subrhamanya]

@fossdd it seems the issue got resolved after pulling latest changes from alpine. Thanks..