rpm package
opensuse/python-dulwich&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python-dulwich&distro=openSUSE%20Tumbleweed
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-47712 | Low | 3.3 | < 1.2.5-1.1 | 1.2.5-1.1 | Jun 10, 2026 | Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, dulwich.porcelain.format_patch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, get_summary only replace | |
| CVE-2026-42563 | Hig | — | < 1.2.5-1.1 | 1.2.5-1.1 | Jun 10, 2026 | Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge dr | |
| CVE-2026-42305 | Hig | 8.8 | < 1.2.5-1.1 | 1.2.5-1.1 | Jun 10, 2026 | Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element | |
| CVE-2017-16228 | Cri | 9.8 | < 0.21.7-1.3 | 0.21.7-1.3 | Oct 29, 2017 | Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117. | |
| CVE-2015-0838 | — | < 0.12.0-2.3 | 0.12.0-2.3 | Mar 31, 2015 | Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file. |
- affected < 1.2.5-1.1fixed 1.2.5-1.1
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, dulwich.porcelain.format_patch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, get_summary only replace
- affected < 1.2.5-1.1fixed 1.2.5-1.1
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge dr
- affected < 1.2.5-1.1fixed 1.2.5-1.1
Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element
- affected < 0.21.7-1.3fixed 0.21.7-1.3
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
- CVE-2015-0838Mar 31, 2015affected < 0.12.0-2.3fixed 0.12.0-2.3
Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file.