-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 28 May 2026 22:58:58 +0100 Source: dulwich Architecture: source Version: 1.2.5-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <[email protected]> Changed-By: Jelmer Vernooij <[email protected]> Changes: dulwich (1.2.5-1) unstable; urgency=medium . * New upstream release, fixing several security issues: - Validate submodule paths in porcelain.submodule_update (and thus porcelain.clone with recurse_submodules=True). The dulwich analogue of git's CVE-2024-32002 / CVE-2024-32004 (GHSA-gfhv-vqv2-4544). - CVE-2026-42305: Harden tree path validation against entry names that are harmless on POSIX but dangerous when checked out on Windows. - CVE-2026-42563: Shell-quote values substituted into ProcessMergeDriver commands. - CVE-2026-47712: Sanitize commit subjects used in porcelain.format_patch filenames to prevent path traversal. - CVE-2026-47734: Honour receive.maxInputSize in ReceivePackHandler to bound memory allocation from crafted packs over git-receive-pack. * Add patch older-similar: Downgrade similar crate to version 2. Checksums-Sha1: 4aca8318017653d960ffd83c96e9d53f2c66124e 2245 dulwich_1.2.5-1.dsc 512e3fb7eeb185c9f8cbd233755b3753784cb7c0 1248388 dulwich_1.2.5.orig.tar.gz 593d24e0091e1d552d26581994e7f3bb6835b6d1 10032 dulwich_1.2.5-1.debian.tar.xz 15573bfc0da43ca6632ca6a5322592d7550d2f72 32966 dulwich_1.2.5-1_source.buildinfo Checksums-Sha256: 81d797da517999d4ab47a5815c84d3e782a497c8bb6da9c4a690c517cefff646 2245 dulwich_1.2.5-1.dsc c86b8add1cd4587977bd886e610e3bc06f1e0b99507e942ea6fdb5bdb27f7826 1248388 dulwich_1.2.5.orig.tar.gz 7b305cbddb99879c3147691b70645d4dddd078b6492c5ce9eccbb1da5878d935 10032 dulwich_1.2.5-1.debian.tar.xz 176bcd198d969a7efec5ff6b4188097ea1b424385e96369bb821ff96cd1a34d3 32966 dulwich_1.2.5-1_source.buildinfo Files: f476fe526330bc6dc3d481e0833664b7 2245 python optional dulwich_1.2.5-1.dsc 18ad27e2f8b815e63fc1bb6f6a48c9b7 1248388 python optional dulwich_1.2.5.orig.tar.gz 70f9f8442031b8ffc0d8d2e682d7c832 10032 python optional dulwich_1.2.5-1.debian.tar.xz 8b15334d1f0522e3025d5c91eaccc366 32966 python optional dulwich_1.2.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE----- iQFGBAEBCgAwFiEE45ORIHAv6kHRgdNzhp0ktO57TaYFAmoYxaESHGplbG1lckBk ZWJpYW4ub3JnAAoJEIadJLTue02m2cAIAJQe3O17haJncw+83cdE+Cgqt8bVdMM6 Zi3zUgZ09rn3QpeRkn6/vGlaeODcgYCYTsNafQW7hW+mqLuP4bKti58Ac1G7U+iS VqrY1g4gtQ3nvYgPXKoPZ70Sg2cj2uobKrqW0Dz3oe249kotNQFC7E6zR9xzxNsF mI9qOTY2MEj1R2ZiLVnAii2hrBnVbcapGBaF05O/8thWDLadNtiJsmmphdTadsaJ OgtLopJIqgrdAu7Vw3hRSOC9fEDsI/HpS6rIqxdIYb6WJ/7YdNWSyoY6x5sHs1ha qnA6xzuRkhaHcxBl34iFuyZ/UFxmfKlge97JlGQWlCjFwP9s21eTyIM= =ISwK -----END PGP SIGNATURE-----
pgpmlwKT34xLH.pgp
Description: PGP signature
