CVE-2024-39689: Certifi removes GLOBALTRUST root certificate
(updated )
Certifi 2024.07.04 removes root certificates from “GLOBALTRUST” from the root store. These are in the process of being removed from Mozilla’s trust store.
GLOBALTRUST’s root certificates are being removed pursuant to an investigation which identified “long-running and unresolved compliance issues”. Conclusions of Mozilla’s investigation can be found here.
References
- github.com/advisories/GHSA-248v-346w-9cwc
- github.com/certifi/python-certifi
- github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463
- github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc
- github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2024-230.yaml
- groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI
- nvd.nist.gov/vuln/detail/CVE-2024-39689
- security.netapp.com/advisory/ntap-20241206-0001
Code Behaviors & Features
Detect and mitigate CVE-2024-39689 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →