171 matches found
CVE-2026-38974
Dulwich through 1.1.0 was found to be missing SSH host key verification in contrib/paramikovendor.py...
PT-2026-60333
Name of the Vulnerable Software and Affected Versions Dulwich versions prior to 1.1.0 Description Dulwich fails to perform SSH host key verification within the contrib/paramiko vendor.py file. This lack of verification allows for potential man-in-the-middle attacks during SSH connections...
CVE-2026-38974
CVE-2026-38974 affects Dulwich up to version 1.1.0. The issue is in the SSH-related code path at contrib/paramiko_vendor.py, where SSH host key verification is missing. This absence can allow an attacker to perform a man-in-the-middle potentially compromising authenticity checks during SSH sessio...
SUSE-SU-2026:2984-1 Security update for python3-dulwich
This update for python3-dulwich fixes the following issues: - CVE-2026-47734: Do not honour receive.maxInputSize to bound received packs bsc1268138...
[SECURITY] Fedora 44 Update: python-dulwich-1.2.9-1.fc44
Dulwich is a Python implementation of the Git file formats and protocols. The project is named after the village in which Mr. and Mrs. Git live in the Monty Python sketch...
python313-dulwich-1.2.7-1.1 on GA media (moderate)
python313-dulwich-1.2.7-1.1 on GA media Announcement ID: openSUSE-SU-2026:11190-1 Rating: moderate Cross-References: CVE-2015-0838 CVE-2017-16228 CVSS scores: CVE-2017-16228 SUSE : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Tumbleweed An update that solves 2...
OPENSUSE-SU-2026:11190-1 python313-dulwich-1.2.7-1.1 on GA media
These are all security issues fixed in the python313-dulwich-1.2.7-1.1 package on the GA media of openSUSE Tumbleweed...
EUVD-2026-36195
Dulwich's submodule path traversal in porcelain.submoduleupdate / porcelain.clonerecursesubmodules=True yields RCE via attacker-dropped .git/hooks payload...
GHSA-GFHV-VQV2-4544 Dulwich's submodule path traversal in porcelain.submodule_update / porcelain.clone(recurse_submodules=True) yields RCE via attacker-dropped .git/hooks payload
Summary dulwich.porcelain.submoduleupdate, and by extension porcelain.clone..., recursesubmodules=True, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious .gitmodules plus a matching tree gitlink whose path is .git/hooks or any...
ROOT-APP-PYPI-CVE-2026-42305 CVE-2026-42305 in rootio-dulwich - Patched by Root
Root has patched CVE-2026-42305 in the rootio-dulwich package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2026-42563 CVE-2026-42563 in rootio-dulwich - Patched by Root
Root has patched CVE-2026-42563 in the rootio-dulwich package for Root:PyPI. Multiple fixed versions available...
CVE-2026-52726
A flaw was found in Dulwich, a pure-Python implementation of Git file formats and protocols. This vulnerability allows a remote attacker to achieve arbitrary code execution by crafting a malicious Git submodule. When a user clones or updates a repository with such a submodule, the...
SUSE CVE-2026-42305
Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accept...
SUSE CVE-2026-42563
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's ProcessMergeDriver substitutes the file path from the git tree, controllable by an attacker via a malicious branch into the merge driver command via the ...
SUSE CVE-2026-47712
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, dulwich.porcelain.formatpatchoutdir=... derives each patch filename from the commit's subject line. Prior to this fix, getsummary only replaced spaces with dashes ...
SUSE CVE-2026-47734
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack 174 bytes whose delta header declares a huge destsize. When dulwich ingested it via addthinpack /...
SUSE CVE-2026-52726
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, dulwich.porcelain.submoduleupdate, and by extension porcelain.clone..., recursesubmodules=True, materializes attacker-controlled submodule paths from a crafted...
CVE-2026-47712
A flaw was found in Dulwich, a pure-Python implementation of Git file formats and protocols. A remote attacker could exploit this vulnerability by crafting a malicious commit subject. When the formatpatch function processes this subject, it could lead to an arbitrary file write, allowing the...
CVE-2026-47734
A flaw was found in Dulwich, a pure-Python implementation of Git file formats and protocols. A remote attacker with push access to a Dulwich-based Git server could send a specially crafted thin pack. This crafted pack, with a manipulated delta header, would cause the server to allocate excessive...
Linux Distros Unpatched Vulnerability : CVE-2026-52726
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5,...