Vulnerability CVE-2021-28363

[kaos]

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28363

Report excerpt:

Description from CVE
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

Explanation
The urllib3 package is vulnerable to Improper Certificate Validation. The _connect_tls_proxy function in the connection.py file does not validate TLS certificate hostnames. A Man-in-the-Middle (MitM) attacker can leverage this vulnerability to decrypt and modify data in transit by providing a malicious certificate that exploits this issue.

[jsirois]

With the release of Pex 2.1.104 there is now the option to use --pip-version 22.2.2 which will have the vendored Pip used 1 time to download the 22.2.2 version of Pip which will be used from then forward whenever --pip=version 22.2.2 is specified. This is much akin to pip install -U pip.

[jsirois]

I'll re-open and let #3057 re-close this with the release of Pex 2.77.0 with the caveat, as explained in #2785 (comment) of vendored pip only being elided if you are installing Pex for a Python>=3.12 venv.