[Git][security-tracker-team/security-tracker][master] add one more CVE-less Dulwich issue and commit references
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Jun 1 16:25:23 BST 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ec6fb312 by Moritz Muehlenhoff at 2026-06-01T15:50:56+02:00
add one more CVE-less Dulwich issue and commit references
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1591,6 +1591,10 @@ CVE-2026-47753
[trixie] - incus <not-affected> (Vulnerable code not resent)
NOTE: https://github.com/lxc/incus/pull/3425
NOTE: https://github.com/lxc/incus/security/advisories/GHSA-8g7m-96c8-8wwc
+CVE-2026-XXXX [dulwich: Submodule clone allows writing to arbitrary path]
+ - dulwich 1.2.5-1
+ NOTE: https://github.com/jelmer/dulwich/security/advisories/GHSA-gfhv-vqv2-4544
+ NOTE: https://github.com/jelmer/dulwich/commit/1ca18147a1d03b61c2ae203c46bf0b2a2f5dd421 (dulwich-1.2.5)
CVE-2026-47734 [dulwich: Unbounded memory allocation in receive-pack from crafted thin packs]
- dulwich 1.2.5-1
NOTE: https://github.com/jelmer/dulwich/security/advisories/GHSA-xrvj-v92f-53gj
@@ -1598,9 +1602,11 @@ CVE-2026-47734 [dulwich: Unbounded memory allocation in receive-pack from crafte
CVE-2026-47712 [dulwich: Commit subjects not sanitized in porcelain.format_patch]
- dulwich 1.2.5-1
NOTE: https://github.com/jelmer/dulwich/security/advisories/GHSA-555p-6grf-mh7f
+ NOTE: https://github.com/jelmer/dulwich/commit/0fd6e6bb61f8017b1af4b5fdbf7602ddbcf6d17e (dulwich-1.2.5)
CVE-2026-42563 [dulwich: Command Injection via Merge Driver Path]
- dulwich 1.2.5-1
NOTE: https://github.com/jelmer/dulwich/security/advisories/GHSA-9277-mp7x-85jf
+ NOTE: https://github.com/jelmer/dulwich/commit/0110b885a1ab5b2128473263a6ff5b7230732e49 (dulwich-1.2.5)
CVE-2026-42305
- dulwich <not-affected> (Windows-specific)
NOTE: https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj
=====================================
data/dsa-needed.txt
=====================================
@@ -24,6 +24,8 @@ ceph (carnil)
--
cups
--
+dulwich
+--
erlang
--
expat
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec6fb312ae48bbc9c0a184e87208bbda3266a341
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec6fb312ae48bbc9c0a184e87208bbda3266a341
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260601/1b406248/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list