Amazon Linux 2 Security Advisory: ALAS-2022-1742
Advisory Release Date: 2022-01-18 21:38 Pacific
Advisory Updated Date: 2022-01-20 19:31 Pacific
A flaw was found in python-urllib3. SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. (CVE-2021-28363)
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. (CVE-2021-3572)
Affected Packages:
python-pip
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python-pip to update your system.
noarch:
python2-pip-20.2.2-1.amzn2.0.3.noarch
python3-pip-20.2.2-1.amzn2.0.3.noarch
python-pip-wheel-20.2.2-1.amzn2.0.3.noarch
src:
python-pip-20.2.2-1.amzn2.0.3.src