CVE-2022-23491 (https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8): https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. Please bump to 2022.12.07.
You linked python-certifi, but the title is app-misc/ca-certificates. There is no upstream of app-misc/ca-certificates with TrustCor removed yet. https://packages.debian.org/sid/ca-certificates If it's urgent, we can patch it our ourselves, but I'd prefer to wait for the upstream release.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4e2efee358d64e28ad8a4aa625ac925a654c807 commit c4e2efee358d64e28ad8a4aa625ac925a654c807 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-10 03:24:53 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-10 03:24:58 +0000 app-misc/ca-certificates: add 20211016.3.86 Note that this follows Mozilla upstream in NSS 3.86 in setting distrust-after for TrustCor [0]. It does not remove it from the cache. [0] https://github.com/nss-dev/nss/commit/79ef8de788dfc8952d34155d3694ad1e159fcb3f Bug: https://bugs.gentoo.org/884805 Signed-off-by: Sam James <sam@gentoo.org> app-misc/ca-certificates/Manifest | 1 + .../ca-certificates-20211016.3.86.ebuild | 203 +++++++++++++++++++++ 2 files changed, 204 insertions(+)
Anything necessitating holding off stabilization here?