Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 884805 (CVE-2022-23491) - <app-misc/ca-certificates-20211016.3.86: TrustCor removal
Summary: <app-misc/ca-certificates-20211016.3.86: TrustCor removal
Alias: CVE-2022-23491
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa? cleanup]
Depends on: 890265
  Show dependency tree
Reported: 2022-12-08 02:08 UTC by John Helmert III
Modified: 2023-01-09 19:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 02:08:35 UTC
CVE-2022-23491 (

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Please bump to 2022.12.07.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2022-12-09 01:14:07 UTC
You linked python-certifi, but the title is app-misc/ca-certificates.

There is no upstream of app-misc/ca-certificates with TrustCor removed yet.

If it's urgent, we can patch it our ourselves, but I'd prefer to wait for the upstream release.
Comment 2 Larry the Git Cow gentoo-dev 2022-12-10 03:26:50 UTC
The bug has been referenced in the following commit(s):

commit c4e2efee358d64e28ad8a4aa625ac925a654c807
Author:     Sam James <>
AuthorDate: 2022-12-10 03:24:53 +0000
Commit:     Sam James <>
CommitDate: 2022-12-10 03:24:58 +0000

    app-misc/ca-certificates: add 20211016.3.86
    Note that this follows Mozilla upstream in NSS 3.86 in setting
    distrust-after for TrustCor [0]. It does not remove it from the cache.
    Signed-off-by: Sam James <>

 app-misc/ca-certificates/Manifest                  |   1 +
 .../ca-certificates-20211016.3.86.ebuild           | 203 +++++++++++++++++++++
 2 files changed, 204 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-06 18:10:59 UTC
Anything necessitating holding off stabilization here?