OpenSSL released 1.1.1k today with two high severity CVEs, https://www.openssl.org/news/vulnerabilities.html
The ssl module is not affected by CVE-2021-3450 in its default configuration. Python does not set X509_V_FLAG_X509_STRICT on SSLContext. Only applications that that use ssl.VERIFY_X509_STRICT verify flag are affected.
It looks like Python's ssl module is vulnerable to CVE-2021-3449. The crash does not affect pip, requests, or any other client-side socket. Only server-side SSL/TLS sockets are vulnerable (ssl.PROTOCOL_TLS_SERVER and server_side=True).
I haven't had time to reproduce and verify any of the CVE bugs yet. That means I'm not entirely sure how the CVEs affect CPython. I strongly recommend that you update OpenSSL through your vendor and restart your services. If you cannot update OpenSSL (e.g. for Python.org installers), then you can apply workarounds:
To disable X509_V_FLAG_X509_STRICT flag either remove any lines that set the flag or unset the flag with:
ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT
(That's bitwise AND and unary bitwise invert operator)
To work around CVE-2021-3449 either set disable TLS 1.0, 1,1, and 1.2 with
ctx.minimum_version = ssl.TLSVersion.TLSv1_3
or disable renegotiation with
ctx.options |= ssl.OP_NO_RENEGOTIATION
NOTE: Renegotiation is required for TLS 1.2 rekeying, optional TLS client cert authention with TLS 1.2 and possible other features. TLS 1.3 is not supported by older clients and servers.