{"id":"MGASA-2021-0371","summary":"Updated python-pip packages fix security vulnerabilities","details":"A flaw was found in python-pip in the way it handled Unicode separators in git\nreferences. A remote attacker could possibly use this issue to install a\ndifferent revision on a repository (CVE-2021-3572).\n\nThe bundled python-urllib3 was also vulnerable to:\nThe urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate\nvalidation in some cases involving HTTPS to HTTPS proxies. The initial\nconnection to the HTTPS proxy (if an SSLContext isn't given via proxy_config)\ndoesn't verify the hostname of the certificate. This means certificates for\ndifferent servers that still validate properly with the default urllib3\nSSLContext will be silently accepted (CVE-2021-28363).\n\nAn issue was discovered in urllib3 before 1.26.5. When provided with a URL\ncontaining many @ characters in the authority component, the authority regular\nexpression exhibits catastrophic backtracking, causing a denial of service if a\nURL were passed as a parameter or redirected to via an HTTP redirect\n(CVE-2021-33503).\n","modified":"2026-02-04T04:16:50.514390Z","published":"2021-07-25T14:45:06Z","related":["CVE-2021-28363","CVE-2021-33503","CVE-2021-3572"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0371.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29010"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29041"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3L3JUBMPJJ7WYXI6JHX6KKYPPX676PR6/"},{"type":"REPORT","url":"https://lists.suse.com/pipermail/sle-security-updates/2021-July/009129.html"}],"affected":[{"package":{"name":"python-pip","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/python-pip?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20.3.3-3.3.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0371.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}