1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • Re: Wazuh Security Alert

    From Todd Zullinger@21:1/5 to Simon Bates on Tue Jul 23 01:30:01 2024
    Simon Bates wrote:
    I recently started using Wazuh to manage the security of my servers and
    Linux desktops.

    I have a Debian server that is raising the following alert:

    package.name: python3-certifi

    package.version: 2022.9.24-1

    vulnerability.id: CVE-2023-37920

    https://nvd.nist.gov/vuln/detail/CVE-2023-37920

    https://tracker.debian.org/pkg/python-certifi

    I confirmed this on the machine in question and got the resulting output: python3-certifi/stable,now 2022.9.24-1 all [installed,automatic]

    Running "sudo apt update -y; sudo apt upgrade -y", does not seem to update the package to the non-vulnerable version 2023.07.22.

    Is there anything I can do to resolve the issue, is this not an issue, or do I need to wait for Debian to patch the package?

    For this particular CVE (and those which are similar). The
    security tracker¹ notes:

    Debian's python-certifi is patched to return the
    location of Debian-provided CA certificates

    The ca-certificates package is what would need to be
    updated. It looks like that's not done in bookworm yet, but
    has been done for trixie and sid.

    I don't know what the reason is for not updating the package
    in bookworm may be, so I can't be of much more help,
    unfortunately.

    This seems to indicate that the Wazuh tool isn't reporting
    the most useful details, which is a common problem for
    distributions which backport patches rather than just update
    to the latest upstream version.

    Though the tool could be trying to use the Debian Security
    tracker to do the right thing and it would still report this
    issue since Debian seems to not mark it as a non-issue for
    python-certifi.

    Take all of this with a grain of salt too, as I'm still
    quite new to Debian and I may be misunderstanding the
    intended use of the security tracker (along with many other
    things). :)

    ¹ https://security-tracker.debian.org/tracker/CVE-2023-37920

    --
    Todd

    -----BEGIN PGP SIGNATURE-----

    iHUEARYIAB0WIQSvlwC4tRNlCF6x+moHOcdGE+n45gUCZp7n2gAKCRAHOcdGE+n4 5nqDAQC6XipSphC5zdGRCDPwFyqhyOSEtEsEsstOg66F77u4ZQD+IJ5V8Bj/APfO 6gwKi9o3EnW14XOOx2eyePgLv7S3tw0=
    =7tsM
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From George at Clug@21:1/5 to All on Tue Jul 23 02:30:01 2024
    I guess this is the link as you comments in your post:

    https://security-tracker.debian.org/tracker/CVE-2023-37920
    Name: CVE-2023-37920
    Description: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root
    certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
    Package: python-certifi
    Fixed Version: (unfixed)
    Urgency: unimportant

    Notes https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
    Debian's python-certifi is patched to return the location of Debian-provided CA certificates


    On Tuesday, 23-07-2024 at 09:14 Todd Zullinger wrote:
    Simon Bates wrote:
    I recently started using Wazuh to manage the security of my servers and Linux desktops.

    I have a Debian server that is raising the following alert:

    package.name: python3-certifi

    package.version: 2022.9.24-1

    vulnerability.id: CVE-2023-37920

    https://nvd.nist.gov/vuln/detail/CVE-2023-37920

    https://tracker.debian.org/pkg/python-certifi

    I confirmed this on the machine in question and got the resulting output: python3-certifi/stable,now 2022.9.24-1 all [installed,automatic]

    Running "sudo apt update -y; sudo apt upgrade -y", does not seem to update the package to the non-vulnerable version 2023.07.22.

    Is there anything I can do to resolve the issue, is this not an issue, or do
    I need to wait for Debian to patch the package?

    For this particular CVE (and those which are similar). The
    security tracker¹ notes:

    Debian's python-certifi is patched to return the
    location of Debian-provided CA certificates

    The ca-certificates package is what would need to be
    updated. It looks like that's not done in bookworm yet, but
    has been done for trixie and sid.

    I don't know what the reason is for not updating the package
    in bookworm may be, so I can't be of much more help,
    unfortunately.

    This seems to indicate that the Wazuh tool isn't reporting
    the most useful details, which is a common problem for
    distributions which backport patches rather than just update
    to the latest upstream version.

    Though the tool could be trying to use the Debian Security
    tracker to do the right thing and it would still report this
    issue since Debian seems to not mark it as a non-issue for
    python-certifi.

    Take all of this with a grain of salt too, as I'm still
    quite new to Debian and I may be misunderstanding the
    intended use of the security tracker (along with many other
    things). :)

    ¹ https://security-tracker.debian.org/tracker/CVE-2023-37920

    --
    Todd


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)