CVE-2024-39689

Publication date 5 July 2024

Last updated 19 February 2025

Ubuntu priority

Negligible

Why this priority?

Cvss 3 Severity Score

7.5 · High

Score breakdown

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."

Read the notes from the security team

Why is this CVE negligible priority?

Use of bundled CA certificates is patched out in Ubuntu

Learn more about Ubuntu priority

Status

Package Ubuntu Release Status
python-certifi 24.04 LTS noble Ignored see notes
23.10 mantic Ignored end of life, was needs-triage
22.04 LTS jammy Ignored see notes
20.04 LTS focal Ignored see notes
18.04 LTS bionic Ignored see notes
16.04 LTS xenial Ignored see notes
python-pip 24.04 LTS noble Ignored see notes
23.10 mantic Ignored end of life, was needs-triage
22.04 LTS jammy Ignored see notes
20.04 LTS focal Ignored see notes
18.04 LTS bionic Ignored see notes
16.04 LTS xenial Ignored see notes
14.04 LTS trusty Ignored end of ESM support, was ignored [see notes]

Notes

mdeslaur

On focal and earlier, the python-pip package bundles python-certifi binaries when built. After updating python-certifi, a no-change rebuild of python-pip is required. On jammy and later, python-certifi is bundled in the python-pip package and needs to be patched. In Debian and Ubuntu, the python-certifi packages are patched to return the location of the system CA certs provided by the ca-certificates package. While the source and binary packages do contain the ca certificates, they are not used by anything.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
python-certifi

Severity score breakdown

Parameter Value
Base score 7.5 · High
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N