ALAS2023-2026-1719

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1719
Advisory Released Date: 2026-05-26
Advisory Updated Date: 2026-05-26

Severity: Low

References: CVE-2026-3219
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both. (CVE-2026-3219)

Affected Packages:

python3.13-pip

Issue Correction:
Run dnf update python3.13-pip --releasever 2023.11.20260526 or dnf update --advisory ALAS2023-2026-1719 --releasever 2023.11.20260526 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

noarch:
    python3.13-pip-wheel-24.2-259.amzn2023.0.6.noarch
    python3.13-pip-24.2-259.amzn2023.0.6.noarch

src:
    python3.13-pip-24.2-259.amzn2023.0.6.src

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-3219

Mitre: CVE-2026-3219