Simon Bates wrote: > I recently started using Wazuh to manage the security of my servers and > Linux desktops. > > I have a Debian server that is raising the following alert: > > package.name: python3-certifi > > package.version: 2022.9.24-1 > > vulnerability.id: CVE-2023-37920 > > https://nvd.nist.gov/vuln/detail/CVE-2023-37920 > > https://tracker.debian.org/pkg/python-certifi > > I confirmed this on the machine in question and got the resulting output: > python3-certifi/stable,now 2022.9.24-1 all [installed,automatic] > > Running "sudo apt update -y; sudo apt upgrade -y", does not seem to update > the package to the non-vulnerable version 2023.07.22. > > Is there anything I can do to resolve the issue, is this not an issue, or do > I need to wait for Debian to patch the package?
For this particular CVE (and those which are similar). The
security tracker¹ notes:
Debian's python-certifi is patched to return the
location of Debian-provided CA certificates
The ca-certificates package is what would need to be
updated. It looks like that's not done in bookworm yet, but
has been done for trixie and sid.
I don't know what the reason is for not updating the package
in bookworm may be, so I can't be of much more help,
unfortunately.
This seems to indicate that the Wazuh tool isn't reporting
the most useful details, which is a common problem for
distributions which backport patches rather than just update
to the latest upstream version.
Though the tool could be trying to use the Debian Security
tracker to do the right thing and it would still report this
issue since Debian seems to not mark it as a non-issue for
python-certifi.
Take all of this with a grain of salt too, as I'm still
quite new to Debian and I may be misunderstanding the
intended use of the security tracker (along with many other
things). :)
¹ https://security-tracker.debian.org/tracker/CVE-2023-37920
--
Todd
signature.asc
Description: PGP signature
