Upgrade urllib3 Python and certifi

[vitusso]

Regarding the vulnerability fixes for urllib3 (Fixed version: 1.26.19) and certifi (Fixed version: 2024.07.04), related to CVE-2024-37891 and CVE-2024-39689, has anyone managed to fix them?

 

[nahga]

I came here to ask the same thing. I guess we aren't getting a response tho?

 

[vitusso]

Hello, since there is no solution yet, I had to do a procedure so that Nessus no longer finds the vulnerability:
In the path "/usr/lib/python3/dist-packages" I renamed the certifi and urllib3 folders to certifi.OLD and urllib3.OLD.
Apparently Proxmox does not use them and so I had no impact. When I perform a new upgrade I will return to the correct names and check if they are updated.

 

[nahga]

Seems like neither of these packages are in the actual proxmox repo which means they do not maintain them and it's on upstream debian to correct them.

 

[Neobin]

Seems like neither of these packages are in the actual proxmox repo which means they do not maintain them and it's on upstream debian to correct them.

Exactly.

• https://security-tracker.debian.org/tracker/CVE-2024-37891
• https://security-tracker.debian.org/tracker/CVE-2024-39689