Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 884805 (CVE-2022-23491)

Summary: <app-misc/ca-certificates-20211016.3.86: TrustCor removal
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: base-system, gentoo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 890265    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 02:08:35 UTC 
CVE-2022-23491 (https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8):
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Please bump to 2022.12.07.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2022-12-09 01:14:07 UTC 
You linked python-certifi, but the title is app-misc/ca-certificates.

There is no upstream of app-misc/ca-certificates with TrustCor removed yet.
https://packages.debian.org/sid/ca-certificates

If it's urgent, we can patch it our ourselves, but I'd prefer to wait for the upstream release.
Comment 2 Larry the Git Cow gentoo-dev 2022-12-10 03:26:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4e2efee358d64e28ad8a4aa625ac925a654c807

commit c4e2efee358d64e28ad8a4aa625ac925a654c807
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-10 03:24:53 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-10 03:24:58 +0000

    app-misc/ca-certificates: add 20211016.3.86
    
    Note that this follows Mozilla upstream in NSS 3.86 in setting
    distrust-after for TrustCor [0]. It does not remove it from the cache.
    
    [0] https://github.com/nss-dev/nss/commit/79ef8de788dfc8952d34155d3694ad1e159fcb3f
    
    Bug: https://bugs.gentoo.org/884805
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/ca-certificates/Manifest                  |   1 +
 .../ca-certificates-20211016.3.86.ebuild           | 203 +++++++++++++++++++++
 2 files changed, 204 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-06 18:10:59 UTC 
Anything necessitating holding off stabilization here?