Vulmon
Amazon Linux 2 Security Advisory: ALAS-2022-1742
Advisory Release Date: 2022-01-18 21:38 Pacific
Advisory Updated Date: 2022-01-20 19:31 Pacific
Severity:
Medium
Issue Overview:
A flaw was found in python-urllib3. SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. (CVE-2021-28363)
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. (CVE-2021-3572)
Affected Packages:
python-pip
Issue Correction:
Run yum update python-pip to update your system.
New Packages:
noarch:
python2-pip-20.2.2-1.amzn2.0.3.noarch
python3-pip-20.2.2-1.amzn2.0.3.noarch
python-pip-wheel-20.2.2-1.amzn2.0.3.noarch
src:
python-pip-20.2.2-1.amzn2.0.3.src