Amazon Linux 2023 Security Advisory: ALAS2023-2026-1665
Advisory Released Date: 2026-05-14
Advisory Updated Date: 2026-05-14
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both. (CVE-2026-3219)
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation. (CVE-2026-6357)
Affected Packages:
python3.11-pip
Issue Correction:
Run dnf update python3.11-pip --releasever 2023.11.20260511 or dnf update --advisory ALAS2023-2026-1665 --releasever 2023.11.20260511 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
noarch:
python3.11-pip-wheel-22.3.1-2.amzn2023.0.12.noarch
python3.11-pip-22.3.1-2.amzn2023.0.12.noarch
src:
python3.11-pip-22.3.1-2.amzn2023.0.12.src