Received: from out-174.mta0.migadu.com (out-174.mta0.migadu.com [IPv6:2001:41d0:1004:224b::ae]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 5B143222F68 for <~alpine/users@lists.alpinelinux.org>; Tue, 6 Aug 2024 04:28:40 +0000 (UTC) Message-ID: <8a303077-8e0d-407a-bfbc-7f361f38593c@selfisekai.rocks> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=selfisekai.rocks; s=key1; t=1722918517; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=uT+49wgDNdPiezoVQ/Did/4Nxma6q2nJDJ4nfSsDhZU=; b=S5O0n4y3kAo/L4FjdQpD8dj76zw99jbzMkficeXVbwi/QMjHCOtHHuYoTm34GdsuPHcp9n n//qXTFc7b35WuLgL4emTf2dYzrD5zJ+Yd52JjUL3XLyiAkQqvfWpUgqQ650PEdqEI8fLU H9bOiCFwvZn4gFPSKvGJSb/u0f5RHsKiZKtOMJ+9oF2tS0dtJoKBDNBEXPDanwGsjMoHuP F9avJ5F2l2owobrO6MhuvB5+08JA7M8vKwtDEbAcPaWdLZ5puM4Qlh1ilQ6HAVHxOU1Oon kWlw54UVNaeBV2Fqoki+uG5dwsoe4Tw1RJneg6kQJtFJjE/LWEif16gzYJEjNQ== Date: Tue, 6 Aug 2024 06:28:32 +0200 MIME-Version: 1.0 Subject: Re: Inquiry on CVE-2024-39689 Fix and Update Timeline To: ~alpine/users@lists.alpinelinux.org References: Content-Language: en-US X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: "lauren n. liberda" Autocrypt: addr=lauren@selfisekai.rocks; keydata= xjMEZds86BYJKwYBBAHaRw8BAQdAXg2C2CwsO1IHJM0JbZFSsj0Qsaqy5KHVeq7Dwj+WmHPN QmxhdXJlbiBuLiBsaWJlcmRhIChwb3N0IDIwMjQtMDItMTUgcmFpZCkgPGxhdXJlbkBzZWxm aXNla2FpLnJvY2tzPsKZBBMWCgBBFiEExNpmCD+2mk1lqoAGFhPdMv4ow+oFAmXbPOgCGwMF CQWjmoAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQFhPdMv4ow+ospgEA/zaaNnPE xGRowVjOyVCokA73LOCofGY/Ny4BF2QhWy8BAPfF/V55hT5IippOI56fxK+U0AOYMAfpcr/K xgePwQsAzjgEZds86BIKKwYBBAGXVQEFAQEHQD1inUwS+R0L22otAzbE10kLj8RIRZqPLIDW ifHz0V5dAwEIB8J+BBgWCgAmFiEExNpmCD+2mk1lqoAGFhPdMv4ow+oFAmXbPOgCGwwFCQWj moAACgkQFhPdMv4ow+qWSQD+MsP5I2Xjw0WKNj2Rps6YHhDKlKPbPCJYrcRWlfLEXAABAIWW q4f0t1R5GUrsPFgQsKbiwu0M6JSNpevDBlIa1UUN In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT hi, py3-certifi package in alpine is patched to return the path of ca-certificates, which distributes mozilla's CA bundle, and does not distribute its own root certificate list, so the version of py3-certifi does not matter. the issue described in the CVE applies to the ca-certificates package though, where it's been fixed since version 20240705, shipped on 2024-07-05 (see https://gitlab.alpinelinux.org/alpine/ca-certificates/-/commit/affc05d8b5483e39c66a41b80ee47e60951d94ef) On 06-08-2024 06:07, Siddharth Srivastava wrote: > Dear Alpine Team, > I am writing to inquire about the fix for CVE-2024-39689 in Alpine > Linux. Our team has noted that the current latest available version of > alpine 3.20 is using py3-certifi 2024.2.2 version and is still > affected by this vulnerability. Given the importance of maintaining > security and stability in our systems, we are keen to update to a > version that addresses this issue. > Could you kindly provide us with information on when the fix will be > released and an estimated timeline for the availability of the updated > version 2024.07.04? > Your prompt response would be greatly appreciated as it will help us > in planning our update process accordingly. > Thank you for your attention to this matter. > Best regards, > Siddharth Srivastava -- lauren n. liberda it/she, het/zij, to [coś]/ona https://liberda.nl/