Simon Bates wrote: > I recently started using Wazuh to manage the security of my servers and > Linux desktops. > > I have a Debian server that is raising the following alert: > > package.name: python3-certifi > > package.version: 2022.9.24-1 > > vulnerability.id: CVE-2023-37920 > > https://nvd.nist.gov/vuln/detail/CVE-2023-37920 > > https://tracker.debian.org/pkg/python-certifi > > I confirmed this on the machine in question and got the resulting output: > python3-certifi/stable,now 2022.9.24-1 all [installed,automatic] > > Running "sudo apt update -y; sudo apt upgrade -y", does not seem to update > the package to the non-vulnerable version 2023.07.22. > > Is there anything I can do to resolve the issue, is this not an issue, or do > I need to wait for Debian to patch the package?
For this particular CVE (and those which are similar). The security tracker¹ notes: Debian's python-certifi is patched to return the location of Debian-provided CA certificates The ca-certificates package is what would need to be updated. It looks like that's not done in bookworm yet, but has been done for trixie and sid. I don't know what the reason is for not updating the package in bookworm may be, so I can't be of much more help, unfortunately. This seems to indicate that the Wazuh tool isn't reporting the most useful details, which is a common problem for distributions which backport patches rather than just update to the latest upstream version. Though the tool could be trying to use the Debian Security tracker to do the right thing and it would still report this issue since Debian seems to not mark it as a non-issue for python-certifi. Take all of this with a grain of salt too, as I'm still quite new to Debian and I may be misunderstanding the intended use of the security tracker (along with many other things). :) ¹ https://security-tracker.debian.org/tracker/CVE-2023-37920 -- Todd
signature.asc
Description: PGP signature