Package : dulwich
Version : 0.6.1-1+deb6u1
CVE ID : CVE-2015-0838
Ivan Fratric of the Google Security Team has found a buffer overflow in
the C implementation of the apply_delta() function, used when accessing
Git objects in pack files. An attacker could take advantage of this flaw
to cause the execution of arbitrary code with the privileges of the user
running a Git server or client based on Dulwich.
For the oldoldstable distribution (squeeze), this problem has been
fixed in version 0.6.1-1+deb6u1.
Attachment:
signature.asc
Description: Digital signature
{"nessus": [{"lastseen": "2021-08-19T12:46:15", "description": "MITRE reports :\n\nBuffer overflow in the C implementation of the apply_delta function in\n_pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file.", "cvss3": {"score": null, "vector": null}, "published": "2015-04-20T00:00:00", "type": "nessus", "title": "FreeBSD : Dulwich -- Remote code execution (e426eda9-dae1-11e4-8107-94de806b0af9)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0838"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:py27-dulwich", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_E426EDA9DAE111E4810794DE806B0AF9.NASL", "href": "https://www.tenable.com/plugins/nessus/82894", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82894);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-0838\");\n\n script_name(english:\"FreeBSD : Dulwich -- Remote code execution (e426eda9-dae1-11e4-8107-94de806b0af9)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"MITRE reports :\n\nBuffer overflow in the C implementation of the apply_delta function in\n_pack.c in Dulwich before 0.9.9 allows remote attackers to execute\narbitrary code via a crafted pack file.\"\n );\n # https://vuxml.freebsd.org/freebsd/e426eda9-dae1-11e4-8107-94de806b0af9.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?74eb2aa5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py27-dulwich\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"py27-dulwich<0.9.9\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:45:39", "description": "Ivan Fratric of the Google Security Team has found a buffer overflow in the C implementation of the apply_delta() function, used when accessing Git objects in pack files. An attacker could take advantage of this flaw to cause the execution of arbitrary code with the privileges of the user running a Git server or client based on Dulwich.\n\nFor the oldoldstable distribution (squeeze), this problem has been fixed in version 0.6.1-1+deb6u1.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-05-28T00:00:00", "type": "nessus", "title": "Debian DLA-231-1 : dulwich security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0838"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:python-dulwich", "cpe:/o:debian:debian_linux:6.0"], "id": "DEBIAN_DLA-231.NASL", "href": "https://www.tenable.com/plugins/nessus/83866", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-231-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83866);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-0838\");\n script_bugtraq_id(73410);\n\n script_name(english:\"Debian DLA-231-1 : dulwich security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Ivan Fratric of the Google Security Team has found a buffer overflow\nin the C implementation of the apply_delta() function, used when\naccessing Git objects in pack files. An attacker could take advantage\nof this flaw to cause the execution of arbitrary code with the\nprivileges of the user running a Git server or client based on\nDulwich.\n\nFor the oldoldstable distribution (squeeze), this problem has been\nfixed in version 0.6.1-1+deb6u1.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/05/msg00014.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/dulwich\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected python-dulwich package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-dulwich\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/05/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"python-dulwich\", reference:\"0.6.1-1+deb6u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:46:41", "description": "Multiple vulnerabilities have been discovered in Dulwich, a Python implementation of the file formats and protocols used by the Git version control system. The Common Vulnerabilities and Exposures project identifies the following problems :\n\n - CVE-2014-9706 It was discovered that Dulwich allows writing to files under .git/ when checking out working trees. This could lead to the execution of arbitrary code with the privileges of the user running an application based on Dulwich.\n\n - CVE-2015-0838 Ivan Fratric of the Google Security Team has found a buffer overflow in the C implementation of the apply_delta() function, used when accessing Git objects in pack files. An attacker could take advantage of this flaw to cause the execution of arbitrary code with the privileges of the user running a Git server or client based on Dulwich.", "cvss3": {"score": null, "vector": null}, "published": "2015-03-30T00:00:00", "type": "nessus", "title": "Debian DSA-3206-1 : dulwich - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-9706", "CVE-2015-0838"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:dulwich", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3206.NASL", "href": "https://www.tenable.com/plugins/nessus/82303", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3206. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82303);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-9706\", \"CVE-2015-0838\");\n script_bugtraq_id(73411);\n script_xref(name:\"DSA\", value:\"3206\");\n\n script_name(english:\"Debian DSA-3206-1 : dulwich - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in Dulwich, a Python\nimplementation of the file formats and protocols used by the Git\nversion control system. The Common Vulnerabilities and Exposures\nproject identifies the following problems :\n\n - CVE-2014-9706\n It was discovered that Dulwich allows writing to files\n under .git/ when checking out working trees. This could\n lead to the execution of arbitrary code with the\n privileges of the user running an application based on\n Dulwich.\n\n - CVE-2015-0838\n Ivan Fratric of the Google Security Team has found a\n buffer overflow in the C implementation of the\n apply_delta() function, used when accessing Git objects\n in pack files. An attacker could take advantage of this\n flaw to cause the execution of arbitrary code with the\n privileges of the user running a Git server or client\n based on Dulwich.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780958\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780989\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-9706\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2015-0838\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/dulwich\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2015/dsa-3206\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the dulwich packages.\n\nFor the stable distribution (wheezy), these problems have been fixed\nin version 0.8.5-2+deb7u2.\n\nFor the upcoming stable distribution (jessie), these problems have\nbeen fixed in version 0.9.7-3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:dulwich\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"python-dulwich\", reference:\"0.8.5-2+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python-dulwich-dbg\", reference:\"0.8.5-2+deb7u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T11:46:20", "description": "Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file.", "cvss3": {}, "published": "2015-03-31T14:59:00", "type": "cve", "title": "CVE-2015-0838", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0838"], "modified": "2015-04-01T03:09:00", "cpe": ["cpe:/o:debian:debian_linux:7.0", "cpe:/a:dulwich_project:dulwich:0.9.8"], "id": "CVE-2015-0838", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0838", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:dulwich_project:dulwich:0.9.8:*:*:*:*:*:*:*"]}], "osv": [{"lastseen": "2022-05-11T21:46:11", "description": "Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file.", "cvss3": {}, "published": "2015-03-31T14:59:00", "type": "osv", "title": "PYSEC-2015-35", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0838"], "modified": "2021-08-27T03:22:03", "id": "OSV:PYSEC-2015-35", "href": "https://osv.dev/vulnerability/PYSEC-2015-35", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-06-14T05:58:38", "description": "Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file.", "cvss3": {}, "published": "2015-03-31T14:59:00", "type": "debiancve", "title": "CVE-2015-0838", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0838"], "modified": "2015-03-31T14:59:00", "id": "DEBIANCVE:CVE-2015-0838", "href": "https://security-tracker.debian.org/tracker/CVE-2015-0838", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:32", "description": "\n\nMITRE reports:\n\nBuffer overflow in the C implementation of the apply_delta\n\t function in _pack.c in Dulwich before 0.9.9 allows remote\n\t attackers to execute arbitrary code via a crafted pack file.\n\n\n", "cvss3": {}, "published": "2015-01-07T00:00:00", "type": "freebsd", "title": "Dulwich -- Remote code execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0838"], "modified": "2015-01-07T00:00:00", "id": "E426EDA9-DAE1-11E4-8107-94DE806B0AF9", "href": "https://vuxml.freebsd.org/freebsd/e426eda9-dae1-11e4-8107-94de806b0af9.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:44:02", "description": "Buffer overflow in the C implementation of the apply_delta function in\n_pack.c in Dulwich before 0.9.9 allows remote attackers to execute\narbitrary code via a crafted pack file.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780958>\n", "cvss3": {}, "published": "2015-03-31T00:00:00", "type": "ubuntucve", "title": "CVE-2015-0838", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0838"], "modified": "2015-03-31T00:00:00", "id": "UB:CVE-2015-0838", "href": "https://ubuntu.com/security/CVE-2015-0838", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "Updated python-dulwich package fixes security vulnerabilities: It was discovered that Dulwich allows writing to files under .git/ when checking out working trees. This could lead to the execution of arbitrary code with the privileges of the user running an application based on Dulwich (CVE-2014-9706). Ivan Fratric of the Google Security Team has found a buffer overflow in the C implementation of the apply_delta() function, used when accessing Git objects in pack files. An attacker could take advantage of this flaw to cause the execution of arbitrary code with the privileges of the user running a Git server or client based on Dulwich (CVE-2015-0838). The python-dulwich package has been updated to version 0.10.0, fixing these issues and other bugs. \n", "cvss3": {}, "published": "2015-04-15T17:22:53", "type": "mageia", "title": "Updated python-dulwich packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9706", "CVE-2015-0838"], "modified": "2015-04-15T17:22:53", "id": "MGASA-2015-0157", "href": "https://advisories.mageia.org/MGASA-2015-0157.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:36:12", "description": "Multiple vulnerabilities have\nbeen discovered in Dulwich, a Python implementation of the file formats\nand protocols used by the Git version control system. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2014-9706\nIt was discovered that Dulwich allows writing to files under .git/\nwhen checking out working trees. This could lead to the execution of\narbitrary code with the privileges of the user running an\napplication based on Dulwich.\n\nCVE-2015-0838\nIvan Fratric of the Google Security Team has found a buffer\noverflow in the C implementation of the apply_delta() function,\nused when accessing Git objects in pack files. An attacker could\ntake advantage of this flaw to cause the execution of arbitrary\ncode with the privileges of the user running a Git server or client\nbased on Dulwich.", "cvss3": {}, "published": "2015-03-28T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3206-1 (dulwich - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-9706", "CVE-2015-0838"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703206", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703206", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3206.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3206-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703206\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2014-9706\", \"CVE-2015-0838\");\n script_name(\"Debian Security Advisory DSA 3206-1 (dulwich - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-03-28 00:00:00 +0100 (Sat, 28 Mar 2015)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3206.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"dulwich on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy),\nthese problems have been fixed in version 0.8.5-2+deb7u2.\n\nFor the upcoming stable distribution (jessie), these problems have been\nfixed in version 0.9.7-3.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 0.10.1-1.\n\nWe recommend that you upgrade your dulwich packages.\");\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have\nbeen discovered in Dulwich, a Python implementation of the file formats\nand protocols used by the Git version control system. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2014-9706\nIt was discovered that Dulwich allows writing to files under .git/\nwhen checking out working trees. This could lead to the execution of\narbitrary code with the privileges of the user running an\napplication based on Dulwich.\n\nCVE-2015-0838\nIvan Fratric of the Google Security Team has found a buffer\noverflow in the C implementation of the apply_delta() function,\nused when accessing Git objects in pack files. An attacker could\ntake advantage of this flaw to cause the execution of arbitrary\ncode with the privileges of the user running a Git server or client\nbased on Dulwich.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed\nsoftware version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"python-dulwich\", ver:\"0.8.5-2+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python-dulwich-dbg\", ver:\"0.8.5-2+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:52:18", "description": "Multiple vulnerabilities have\nbeen discovered in Dulwich, a Python implementation of the file formats\nand protocols used by the Git version control system. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2014-9706 \nIt was discovered that Dulwich allows writing to files under .git/\nwhen checking out working trees. This could lead to the execution of\narbitrary code with the privileges of the user running an\napplication based on Dulwich.\n\nCVE-2015-0838 \nIvan Fratric of the Google Security Team has found a buffer\noverflow in the C implementation of the apply_delta() function,\nused when accessing Git objects in pack files. An attacker could\ntake advantage of this flaw to cause the execution of arbitrary\ncode with the privileges of the user running a Git server or client\nbased on Dulwich.", "cvss3": {}, "published": "2015-03-28T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3206-1 (dulwich - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-9706", "CVE-2015-0838"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:703206", "href": "http://plugins.openvas.org/nasl.php?oid=703206", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3206.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3206-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703206);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2014-9706\", \"CVE-2015-0838\");\n script_name(\"Debian Security Advisory DSA 3206-1 (dulwich - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-03-28 00:00:00 +0100 (Sat, 28 Mar 2015)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3206.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"dulwich on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy),\nthese problems have been fixed in version 0.8.5-2+deb7u2.\n\nFor the upcoming stable distribution (jessie), these problems have been\nfixed in version 0.9.7-3.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 0.10.1-1.\n\nWe recommend that you upgrade your dulwich packages.\");\n script_tag(name: \"summary\", value: \"Multiple vulnerabilities have\nbeen discovered in Dulwich, a Python implementation of the file formats\nand protocols used by the Git version control system. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2014-9706 \nIt was discovered that Dulwich allows writing to files under .git/\nwhen checking out working trees. This could lead to the execution of\narbitrary code with the privileges of the user running an\napplication based on Dulwich.\n\nCVE-2015-0838 \nIvan Fratric of the Google Security Team has found a buffer\noverflow in the C implementation of the apply_delta() function,\nused when accessing Git objects in pack files. An attacker could\ntake advantage of this flaw to cause the execution of arbitrary\ncode with the privileges of the user running a Git server or client\nbased on Dulwich.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed\nsoftware version using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"python-dulwich\", ver:\"0.8.5-2+deb7u2\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python-dulwich-dbg\", ver:\"0.8.5-2+deb7u2\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2021-10-21T22:48:02", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3206-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nMarch 28, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : dulwich\nCVE ID : CVE-2014-9706 CVE-2015-0838\nDebian Bug : 780958 780989\n\nMultiple vulnerabilities have been discovered in Dulwich, a Python\nimplementation of the file formats and protocols used by the Git version\ncontrol system. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2014-9706\n\n It was discovered that Dulwich allows writing to files under .git/\n when checking out working trees. This could lead to the execution of\n arbitrary code with the privileges of the user running an\n application based on Dulwich.\n\nCVE-2015-0838\n\n Ivan Fratric of the Google Security Team has found a buffer\n overflow in the C implementation of the apply_delta() function,\n used when accessing Git objects in pack files. An attacker could\n take advantage of this flaw to cause the execution of arbitrary\n code with the privileges of the user running a Git server or client\n based on Dulwich.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 0.8.5-2+deb7u2.\n\nFor the upcoming stable distribution (jessie), these problems have been\nfixed in version 0.9.7-3.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 0.10.1-1.\n\nWe recommend that you upgrade your dulwich packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2015-03-28T13:22:01", "type": "debian", "title": "[SECURITY] [DSA 3206-1] dulwich security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9706", "CVE-2015-0838"], "modified": "2015-03-28T13:22:01", "id": "DEBIAN:DSA-3206-1:691EC", "href": "https://lists.debian.org/debian-security-announce/2015/msg00093.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-01T00:00:00", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3206-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nMarch 28, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : dulwich\nCVE ID : CVE-2014-9706 CVE-2015-0838\nDebian Bug : 780958 780989\n\nMultiple vulnerabilities have been discovered in Dulwich, a Python\nimplementation of the file formats and protocols used by the Git version\ncontrol system. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2014-9706\n\n It was discovered that Dulwich allows writing to files under .git/\n when checking out working trees. This could lead to the execution of\n arbitrary code with the privileges of the user running an\n application based on Dulwich.\n\nCVE-2015-0838\n\n Ivan Fratric of the Google Security Team has found a buffer\n overflow in the C implementation of the apply_delta() function,\n used when accessing Git objects in pack files. An attacker could\n take advantage of this flaw to cause the execution of arbitrary\n code with the privileges of the user running a Git server or client\n based on Dulwich.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 0.8.5-2+deb7u2.\n\nFor the upcoming stable distribution (jessie), these problems have been\nfixed in version 0.9.7-3.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 0.10.1-1.\n\nWe recommend that you upgrade your dulwich packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2015-03-28T13:22:01", "type": "debian", "title": "[SECURITY] [DSA 3206-1] dulwich security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9706", "CVE-2015-0838"], "modified": "2015-03-28T13:22:01", "id": "DEBIAN:DSA-3206-1:74F58", "href": "https://lists.debian.org/debian-security-announce/2015/msg00093.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:58", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3206-1 security@debian.org\r\nhttp://www.debian.org/security/ Salvatore Bonaccorso\r\nMarch 28, 2015 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : dulwich\r\nCVE ID : CVE-2014-9706 CVE-2015-0838\r\nDebian Bug : 780958 780989\r\n\r\nMultiple vulnerabilities have been discovered in Dulwich, a Python\r\nimplementation of the file formats and protocols used by the Git version\r\ncontrol system. The Common Vulnerabilities and Exposures project\r\nidentifies the following problems:\r\n\r\nCVE-2014-9706\r\n\r\n It was discovered that Dulwich allows writing to files under .git/\r\n when checking out working trees. This could lead to the execution of\r\n arbitrary code with the privileges of the user running an\r\n application based on Dulwich.\r\n\r\nCVE-2015-0838\r\n\r\n Ivan Fratric of the Google Security Team has found a buffer\r\n overflow in the C implementation of the apply_delta() function,\r\n used when accessing Git objects in pack files. An attacker could\r\n take advantage of this flaw to cause the execution of arbitrary\r\n code with the privileges of the user running a Git server or client\r\n based on Dulwich.\r\n\r\nFor the stable distribution (wheezy), these problems have been fixed in\r\nversion 0.8.5-2+deb7u2.\r\n\r\nFor the upcoming stable distribution (jessie), these problems have been\r\nfixed in version 0.9.7-3.\r\n\r\nFor the unstable distribution (sid), these problems have been fixed in\r\nversion 0.10.1-1.\r\n\r\nWe recommend that you upgrade your dulwich packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJVFqrBAAoJEAVMuPMTQ89EXMIQAJTFthRtXilrRtR2zW2h254v\r\nPjR2wH/Hx+9CUTTFinYea9IM1J3OldiTs4Kzie6imI8ZAkla0XKVgmCYAFGSuR29\r\nleyGgF/q62CzJkY+qiK1RAhWmCKNxt5nawhxo2Ss3BQL3YgwfaVAUZplkbTWsoNw\r\nN2o/g0/9CQCkj8fUy+WbzPiLlZ1q6sZLgTKXtc3RCFQmF6zOCSHieruDrjeFPpJh\r\nH1sw5fxsuwgibuOMHD+2vqXNCUNO+fWNfr5vmLQuIdqLuGX5E7b8k0fujQvcOJP2\r\nTCDaMC8wrPLEWToH0qXhL/FwCkI0tpKJCzXS0XwwF3E5UwEjtkzWylGhxPBuP2mw\r\nwt1nBng18EBGu58Iaoo/9DoM58Nan6auDinLYaciBPH+Q1221EWUqBZO5yOAhxDM\r\nxD9o/QKEVFqq9Q3dk6Vxekf4WERDIbsBN1B7SA9+pHO3GYaMcwAOhUmdaRyuweWq\r\n9dlCwoyagkYxljo+ZW1WCFvClrmF42hdv+H4sg6DD7MLzB+feQBzTUWxW12rTHU0\r\nB8f6aA47Ccm7Ht8OEF93ojvfHurOF7S3T+qsqT/g2M8pEH/Q6sSq+YpOEY3J2IOs\r\nJEbLf4eNgqRoL0/N12tE5d+9UvTlVMw9kFeeBrm8Yz4fwq4MHd5I28UX96AUhhvV\r\nymN7Sgsu5iQwJLa0CCoD\r\n=OotG\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2015-04-19T00:00:00", "title": "[SECURITY] [DSA 3206-1] dulwich security update", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-9706", "CVE-2015-0838"], "modified": "2015-04-19T00:00:00", "id": "SECURITYVULNS:DOC:31946", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31946", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-06-08T18:53:45", "description": "Code execution, buffer overflow.", "edition": 2, "cvss3": {}, "published": "2015-04-19T00:00:00", "title": "dulwich security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-9706", "CVE-2015-0838"], "modified": "2015-04-19T00:00:00", "id": "SECURITYVULNS:VULN:14414", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14414", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
[SECURITY] [DLA 231-1] dulwich security update
