Open germanbravouy opened 3 weeks ago
@germanbravouy this module is patched inside the bundle and it should always return the patch to CA bundle of the system and it's not shipping it's own CA bundle. So just bumping the version of it makes no much sense in general.
@vzhestkov To clarify, even in current version venv-salt-minion rpm contains the problematic /usr/lib/venv-salt-minion/lib/python3.11/site-packages/certifi (just checked venv-salt-minion-3006.0-35.72.uyuni.x86_64.rpm) Vulnerability scanner returns Path : /usr/lib/venv-salt-minion/lib/python3.11/site-packages/certifi Installed version : 2023.7.22 Fixed version : 2024.07.04
Problem description
Doing a vulnerability assessment over a system which has the venv-salt-minion of Uyuni installed, is reporting the use of a python dependecy which is using a root certificate untrusted.
The plugin reports:
The detected version of Certifi python package, certifi, is prior to version 2024.07.04. It is, therefore, it contains untrusted root certificates from GLOBALTRUST. An unauthenticated, remote attacker can exploit this to gain arbitrary permissions within the applicaiton.
Can the version of the python dependency of venv-salt-minion be upgraded to version 2024.07.04? Can we upgrade the version of certifi manually inside the venv-salt-minion without affecting the functionality of the Uyuni Salt Minion?
Thanks
Steps to reproduce
Uyuni version
Uyuni proxy version (if used)
Useful logs
Additional information
No response