Re: Wazuh Security Alert

To: Todd Zullinger <tmz@pobox.com>, debian-user@lists.debian.org
Subject: Re: Wazuh Security Alert
From: George at Clug <Clug@goproject.info>
Date: Tue, 23 Jul 2024 10:25:37 +1000
Message-id: <[🔎] 1ccce451d56427f80d953e4f32a65270@go.goproject.info>
In-reply-to: <[🔎] Zp7n48QvYOLF7c7c@teonanacatl.net>
References: <[🔎] Zp7n48QvYOLF7c7c@teonanacatl.net>

I guess this is the link as you comments in your post:

https://security-tracker.debian.org/tracker/CVE-2023-37920
Name: CVE-2023-37920
Description: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
Package: python-certifi
Fixed Version: 	(unfixed)
Urgency: unimportant

Notes
https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
Debian's python-certifi is patched to return the location of Debian-provided CA certificates


On Tuesday, 23-07-2024 at 09:14 Todd Zullinger wrote:
> Simon Bates wrote:
> > I recently started using Wazuh to manage the security of my servers and
> > Linux desktops.
> > 
> > I have a Debian server that is raising the following alert:
> > 
> > package.name: python3-certifi
> > 
> > package.version: 2022.9.24-1
> > 
> > vulnerability.id: CVE-2023-37920
> > 
> > https://nvd.nist.gov/vuln/detail/CVE-2023-37920
> > 
> > https://tracker.debian.org/pkg/python-certifi
> > 
> > I confirmed this on the machine in question and got the resulting output:
> > python3-certifi/stable,now 2022.9.24-1 all [installed,automatic]
> > 
> > Running "sudo apt update -y; sudo apt upgrade -y", does not seem to update
> > the package to the non-vulnerable version 2023.07.22.
> > 
> > Is there anything I can do to resolve the issue, is this not an issue, or do
> > I need to wait for Debian to patch the package?
> 
> For this particular CVE (and those which are similar).  The
> security tracker¹ notes:
> 
>     Debian's python-certifi is patched to return the
>     location of Debian-provided CA certificates
> 
> The ca-certificates package is what would need to be
> updated.  It looks like that's not done in bookworm yet, but
> has been done for trixie and sid.
> 
> I don't know what the reason is for not updating the package
> in bookworm may be, so I can't be of much more help,
> unfortunately.
> 
> This seems to indicate that the Wazuh tool isn't reporting
> the most useful details, which is a common problem for
> distributions which backport patches rather than just update
> to the latest upstream version.
> 
> Though the tool could be trying to use the Debian Security
> tracker to do the right thing and it would still report this
> issue since Debian seems to not mark it as a non-issue for
> python-certifi.
> 
> Take all of this with a grain of salt too, as I'm still
> quite new to Debian and I may be misunderstanding the
> intended use of the security tracker (along with many other
> things). :)
> 
> ¹ https://security-tracker.debian.org/tracker/CVE-2023-37920
> 
> -- 
> Todd
>

Reply to:

References:
- Re: Wazuh Security Alert
  - From: Todd Zullinger <tmz@pobox.com>

Prev by Date: Re: Wazuh Security Alert
Next by Date: Re: Alternative to Authy
Previous by thread: Re: Wazuh Security Alert
Next by thread: debian distro on compact disk
Index(es):
- Date
- Thread