search

uyuni-project / uyuni

Source code for Uyuni
https://www.uyuni-project.org/
GNU General Public License v2.0
428 stars 179 forks source link

Uyuni Salt minion dependency untrusted certificate #9210

Open germanbravouy opened 3 weeks ago

germanbravouy commented 3 weeks ago

Problem description

Doing a vulnerability assessment over a system which has the venv-salt-minion of Uyuni installed, is reporting the use of a python dependecy which is using a root certificate untrusted.

The plugin reports: The detected version of Certifi python package, certifi, is prior to version 2024.07.04. It is, therefore, it contains untrusted root certificates from GLOBALTRUST. An unauthenticated, remote attacker can exploit this to gain arbitrary permissions within the applicaiton.

Can the version of the python dependency of venv-salt-minion be upgraded to version 2024.07.04? Can we upgrade the version of certifi manually inside the venv-salt-minion without affecting the functionality of the Uyuni Salt Minion?

Thanks

Steps to reproduce

Uyuni version

2024.03, looking to update to latest version

Uyuni proxy version (if used)

2024.03, looking to update to latest version

Useful logs

-

Additional information

No response

vzhestkov commented 3 weeks ago

@germanbravouy this module is patched inside the bundle and it should always return the patch to CA bundle of the system and it's not shipping it's own CA bundle. So just bumping the version of it makes no much sense in general.

kluchoslaw commented 3 weeks ago

@vzhestkov To clarify, even in current version venv-salt-minion rpm contains the problematic /usr/lib/venv-salt-minion/lib/python3.11/site-packages/certifi (just checked venv-salt-minion-3006.0-35.72.uyuni.x86_64.rpm) Vulnerability scanner returns Path : /usr/lib/venv-salt-minion/lib/python3.11/site-packages/certifi Installed version : 2023.7.22 Fixed version : 2024.07.04