A security scan has identified python3-pip 9.0.3 on EL8 as a security issue. I don't use Python on the machine. But when I tried to remove it, I got an error because dnf is dependent on Python..
There is no newer version of python3-pip for EL8 that I can find.
Does anyone have any suggestions on how I can resolve this? I was wondering if I could remove the python-platform and install a newer version, like 3.8. This is on a Docker image, so I have room to experiment.
If there is a security issue in the package, then your provider should fix this. In this Red Hat should provide the fix.
In stable releases (like EL8), Red Hat avoids rebasing packages to newer versions because while that fixes an issue, it can open a bunch of other issues due to incompatibility. So, instead of rebasing, package maintainers backport the fixes to old versions.
This may confuse purely designed security scanners that can produce false negatives.
E.g., such a scanner can tell you that you are running python3-pip in version 9.0.3 and it has a bunch of security issues: CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074 But if you check the rpm log of this package:
* Mon Jun 07 2021 Lumír Balhar <[email protected]> - 9.0.3-20
- Fix for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
Resolves: rhbz#1962856
...
Mon Jan 13 2020 Lumír Balhar <[email protected]> - 9.0.3-16
- Add four new patches for CVEs in bundled urllib3 and requests
CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074
Resolves: rhbz#1649153
Resolves: rhbz#1700824
Resolves: rhbz#1702473
Resolves: rhbz#1643829
...
you can see that these CVEs are fixed in your package assuming you have package 9.0.3-20 or higher. The last part after the dash (release number) is in this case very important.
Conclusion: Please check the changelog. The CVE is likely already fixed, and you do not need to do anything.