Amazon Linux 2 Security Advisory: ALAS2-2021-1667
Advisory Released Date: 2021-06-23
Advisory Updated Date: 2025-08-07
A flaw was found in python-urllib3. SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. (CVE-2021-28363)
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. (CVE-2021-3572)
Affected Packages:
python-pip
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python-pip or yum update --advisory ALAS2-2021-1667 to update your system.
noarch:
python2-pip-20.2.2-1.amzn2.0.3.noarch
python3-pip-20.2.2-1.amzn2.0.3.noarch
python-pip-wheel-20.2.2-1.amzn2.0.3.noarch
src:
python-pip-20.2.2-1.amzn2.0.3.src
2025-08-07: CVE-2021-3572 was added to this advisory.