~alpine/users

1

Inquiry on CVE-2024-39689 Fix and Update Timeline

Siddharth Srivastava <siddharth.s.srivastava@oracle.com>
Details
Message ID
<DS0PR10MB6149F8CED4DC162A27A41793A3BF2@DS0PR10MB6149.namprd10.prod.outlook.com>
DKIM signature
missing
Download raw message
5 months ago 
Dear Alpine Team,
I am writing to inquire about the fix for CVE-2024-39689 in Alpine Linux. Our team has noted that the current latest available version of alpine 3.20 is using py3-certifi 2024.2.2 version and is still affected by this vulnerability. Given the importance of maintaining security and stability in our systems, we are keen to update to a version that addresses this issue.
Could you kindly provide us with information on when the fix will be released and an estimated timeline for the availability of the updated version 2024.07.04?
Your prompt response would be greatly appreciated as it will help us in planning our update process accordingly.
Thank you for your attention to this matter.
Best regards,
Siddharth Srivastava

Re: Inquiry on CVE-2024-39689 Fix and Update Timeline

lauren n. liberda <lauren@selfisekai.rocks>
Details
Message ID
<8a303077-8e0d-407a-bfbc-7f361f38593c@selfisekai.rocks>
In-Reply-To
<DS0PR10MB6149F8CED4DC162A27A41793A3BF2@DS0PR10MB6149.namprd10.prod.outlook.com> (view parent)
DKIM signature
missing
Download raw message
5 months ago 
hi,


py3-certifi package in alpine is patched to return the path of 
ca-certificates, which distributes mozilla's CA bundle, and does not 
distribute its own root certificate list, so the version of py3-certifi 
does not matter.


the issue described in the CVE applies to the ca-certificates package 
though, where it's been fixed since version 20240705, shipped on 
2024-07-05 (see 
https://gitlab.alpinelinux.org/alpine/ca-certificates/-/commit/affc05d8b5483e39c66a41b80ee47e60951d94ef)


On 06-08-2024 06:07, Siddharth Srivastava wrote:
> Dear Alpine Team,
> I am writing to inquire about the fix for CVE-2024-39689 in Alpine 
> Linux. Our team has noted that the current latest available version of 
> alpine 3.20 is using py3-certifi 2024.2.2 version and is still 
> affected by this vulnerability. Given the importance of maintaining 
> security and stability in our systems, we are keen to update to a 
> version that addresses this issue.
> Could you kindly provide us with information on when the fix will be 
> released and an estimated timeline for the availability of the updated 
> version 2024.07.04?
> Your prompt response would be greatly appreciated as it will help us 
> in planning our update process accordingly.
> Thank you for your attention to this matter.
> Best regards,
> Siddharth Srivastava

-- 
lauren n. liberda
it/she, het/zij, to [coś]/ona
https://liberda.nl/
Reply to thread Export thread (mbox)