+++ This bug was initially created as a clone of Bug #31232 +++ Ubuntu has issued an advisory on December 5: https://ubuntu.com/security/notices/USN-5761-1 The upstream change is this: https://github.com/nss-dev/nss/commit/79ef8de788dfc8952d34155d3694ad1e159fcb3f which Ubuntu deemed insufficient, and they completely removed the TrustCor CA cert(s) from their package, which I have not done. A more detailed explanation of this issue is here: https://utcc.utoronto.ca/~cks/space/blog/linux/CARootStoreTrustProblem CVE-2022-23491 has been issued for this in association with the python-certifi package: https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8 If this package is bundling its own copy of the rootcerts, that should be changed so that it uses our system rootcerts. It also should be updated.
Whiteboard: (none) => MGA8TOO
SUSE has issued an advisory for this on January 25: https://lists.suse.com/pipermail/sle-security-updates/2023-January/013525.html
(In reply to David Walser from comment #1) > SUSE has issued an advisory for this on January 25: > https://lists.suse.com/pipermail/sle-security-updates/2023-January/013525. > html Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y3LLORQTVTGQTFXP5FORJ4PISPVZLTEA/
urpmq --whatrequires python3-twisted buildbot buildbot-master buildbot-worker deluge kajongg ... syncevolution
CC: (none) => yves.brungard_mageia
Fedora has issued an advisory for this today (March 30): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XVERIAPNA4QIBOA26OBVAYISGS3HRQDC/
The issue is fixed upstream in 2022.12.07.
Severity: normal => majorStatus comment: (none) => Fixed upstream in 2022.12.07
On Cauldron we have already python3-certifi-2022.12.7-1.mga9
CC: (none) => geiger.david68210
Done for mga8!
python3-certifi-2022.12.7-1.mga8 from python-certifi-2022.12.7-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Source RPM: python-certifi-2022.6.15-1.mga9.src.rpm => python-certifi-2020.6.20-1.mga8.src.rpmAssignee: python => qa-bugsStatus comment: Fixed upstream in 2022.12.07 => (none)Version: Cauldron => 8
No installation issues. No previous updates. urpmq --whatrequires indicates that yt-dlp needs this package, and in turn Clipgrab requires yt-dlp. So, tested by using Clipgrab to download three different Youtube videos. No issues noted. Validating.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
MGA8-64 MATE on Acer Aspire 5253 No installation issues. No previous updates, so chasing around and found that yt-dlp is dependent. So did $ strace -o ~/Documents/certif.txt yt-dlp https://www.youtube.com/watch?v=_Qci7E8nQ_o&pp=ygUSb2xkIGlyaXNoIGJsZXNzaW5n [1] 19983 [tester8@mach7 Music]$ [youtube] Extracting URL: https://www.youtube.com/watch?v=_Qci7E8nQ_o [youtube] _Qci7E8nQ_o: Downloading webpage [youtube] _Qci7E8nQ_o: Downloading android player API JSON [info] _Qci7E8nQ_o: Downloading 1 format(s): 248+251 [download] Destination: Old Irish Blessing - Denes Agay [_Qci7E8nQ_o].f248.webm [download] 100% of 30.65MiB in 00:00:07 at 4.24MiB/s [download] Destination: Old Irish Blessing - Denes Agay [_Qci7E8nQ_o].f251.webm [download] 100% of 2.15MiB in 00:00:00 at 4.54MiB/s [Merger] Merging formats into "Old Irish Blessing - Denes Agay [_Qci7E8nQ_o].webm" Deleting original file Old Irish Blessing - Denes Agay [_Qci7E8nQ_o].f248.webm (pass -k to keep) Deleting original file Old Irish Blessing - Denes Agay [_Qci7E8nQ_o].f251.webm (pass -k to keep) [1]+ Done strace -o ~/Documents/certif.txt yt-dlp https://www.youtube.com/watch?v=_Qci7E8nQ_o And found different refs to /usr/lib/python3.8/site-packages/certifi/ and resulting file plays in vlc, so OK for me.
CC: (none) => herman.viaene
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0140.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED