Search criteria
Related vulnerabilities
GHSA-897W-FCG9-F6XJ
Vulnerability from github – Published: 2026-05-28 22:28 – Updated: 2026-05-28 22:28
VLAI
Summary
Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows
Details
Impact
Arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows.
Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax:
- \ — the Windows path separator. A single tree entry named .git\hooks\pre-commit.exe was treated as one valid filename on POSIX but materialized as nested directories .git/hooks/pre-commit.exe on Windows, planting a file inside the victim's .git directory. Git for Windows then executes that hook on the next git commit, giving the attacker arbitrary code execution in the victim's user context. The same primitive can be used with ..\outside.txt to escape the work tree.
- : — the NTFS alternate-data-stream marker. .git::$INDEX_ALLOCATION writes directly into the victim's .git entity, bypassing the .git-as-a-directory check.
- git~ — NTFS 8.3 short-name aliases of .git. Only the literal git~1 was rejected; git~2, git~10, GIT~1, etc. were all accepted.
Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected.
Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication.
Patches
Fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later.
The fix lives in three commits:
- Read core.protectNTFS / core.protectHFS under their documented option names so user-set values are honored.
- Default core.protectNTFS to true on every platform, matching Git's PROTECT_NTFS_DEFAULT=1.
- Reject \, :, and all git~ 8.3 short-name forms in validate_path_element_ntfs.
Workarounds
There is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required.
Resources
- Git upstream path validation: https://github.com/git/git/blob/master/path.c (is_ntfs_dotgit, verify_path)
- CVE-2019-1353 — the Git upstream vulnerability that established core.protectNTFS = true as the cross-platform default
- CVE-2019-1354 — backslash-in-tree-path class in Git, analogous to this issue
Severity
8.8 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "dulwich"
},
"ranges": [
{
"events": [
{
"introduced": "0.10.0"
},
{
"fixed": "1.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42305"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-28T22:28:06Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Impact\n\nArbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows.\n\nDulwich\u0027s path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax:\n\n - \\ \u2014 the Windows path separator. A single tree entry named .git\\hooks\\pre-commit.exe was treated as one valid filename on POSIX but materialized as nested directories .git/hooks/pre-commit.exe on Windows, planting a file inside the victim\u0027s .git directory. Git for Windows then\n executes that hook on the next git commit, giving the attacker arbitrary code execution in the victim\u0027s user context. The same primitive can be used with ..\\outside.txt to escape the work tree.\n - : \u2014 the NTFS alternate-data-stream marker. .git::$INDEX_ALLOCATION writes directly into the victim\u0027s .git entity, bypassing the .git-as-a-directory check.\n - git~\u003cdigits\u003e \u2014 NTFS 8.3 short-name aliases of .git. Only the literal git~1 was rejected; git~2, git~10, GIT~1, etc. were all accepted.\n\nContributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected.\n\nAnyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \\ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication.\n\n## Patches\n\nFixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later.\n\nThe fix lives in three commits:\n\n- Read core.protectNTFS / core.protectHFS under their documented option names so user-set values are honored.\n- Default core.protectNTFS to true on every platform, matching Git\u0027s PROTECT_NTFS_DEFAULT=1.\n- Reject \\, :, and all git~\u003cdigits\u003e 8.3 short-name forms in validate_path_element_ntfs.\n\n## Workarounds\n\nThere is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required.\n\n## Resources\n\n- Git upstream path validation: https://github.com/git/git/blob/master/path.c (is_ntfs_dotgit, verify_path)\n- CVE-2019-1353 \u2014 the Git upstream vulnerability that established core.protectNTFS = true as the cross-platform default\n- CVE-2019-1354 \u2014 backslash-in-tree-path class in Git, analogous to this issue",
"id": "GHSA-897w-fcg9-f6xj",
"modified": "2026-05-28T22:28:06Z",
"published": "2026-05-28T22:28:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj"
},
{
"type": "PACKAGE",
"url": "https://github.com/jelmer/dulwich"
},
{
"type": "WEB",
"url": "https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows"
}
OPENSUSE-SU-2026:10900-1
Vulnerability from csaf_opensuse - Published: 2026-05-29 00:00 - Updated: 2026-05-29 00:00Summary
python311-dulwich-1.2.5-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: python311-dulwich-1.2.5-1.1 on GA media
Description of the patch: These are all security issues fixed in the python311-dulwich-1.2.5-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10900
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-dulwich-1.2.5-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-dulwich-1.2.5-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10900",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10900-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42305 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42305/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42563 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42563/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-47712 page",
"url": "https://www.suse.com/security/cve/CVE-2026-47712/"
}
],
"title": "python311-dulwich-1.2.5-1.1 on GA media",
"tracking": {
"current_release_date": "2026-05-29T00:00:00Z",
"generator": {
"date": "2026-05-29T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10900-1",
"initial_release_date": "2026-05-29T00:00:00Z",
"revision_history": [
{
"date": "2026-05-29T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-dulwich-1.2.5-1.1.aarch64",
"product": {
"name": "python311-dulwich-1.2.5-1.1.aarch64",
"product_id": "python311-dulwich-1.2.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-dulwich-1.2.5-1.1.aarch64",
"product": {
"name": "python313-dulwich-1.2.5-1.1.aarch64",
"product_id": "python313-dulwich-1.2.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python314-dulwich-1.2.5-1.1.aarch64",
"product": {
"name": "python314-dulwich-1.2.5-1.1.aarch64",
"product_id": "python314-dulwich-1.2.5-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-dulwich-1.2.5-1.1.ppc64le",
"product": {
"name": "python311-dulwich-1.2.5-1.1.ppc64le",
"product_id": "python311-dulwich-1.2.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-dulwich-1.2.5-1.1.ppc64le",
"product": {
"name": "python313-dulwich-1.2.5-1.1.ppc64le",
"product_id": "python313-dulwich-1.2.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python314-dulwich-1.2.5-1.1.ppc64le",
"product": {
"name": "python314-dulwich-1.2.5-1.1.ppc64le",
"product_id": "python314-dulwich-1.2.5-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-dulwich-1.2.5-1.1.s390x",
"product": {
"name": "python311-dulwich-1.2.5-1.1.s390x",
"product_id": "python311-dulwich-1.2.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-dulwich-1.2.5-1.1.s390x",
"product": {
"name": "python313-dulwich-1.2.5-1.1.s390x",
"product_id": "python313-dulwich-1.2.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python314-dulwich-1.2.5-1.1.s390x",
"product": {
"name": "python314-dulwich-1.2.5-1.1.s390x",
"product_id": "python314-dulwich-1.2.5-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-dulwich-1.2.5-1.1.x86_64",
"product": {
"name": "python311-dulwich-1.2.5-1.1.x86_64",
"product_id": "python311-dulwich-1.2.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-dulwich-1.2.5-1.1.x86_64",
"product": {
"name": "python313-dulwich-1.2.5-1.1.x86_64",
"product_id": "python313-dulwich-1.2.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python314-dulwich-1.2.5-1.1.x86_64",
"product": {
"name": "python314-dulwich-1.2.5-1.1.x86_64",
"product_id": "python314-dulwich-1.2.5-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-dulwich-1.2.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64"
},
"product_reference": "python311-dulwich-1.2.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-dulwich-1.2.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le"
},
"product_reference": "python311-dulwich-1.2.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-dulwich-1.2.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x"
},
"product_reference": "python311-dulwich-1.2.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-dulwich-1.2.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64"
},
"product_reference": "python311-dulwich-1.2.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-dulwich-1.2.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64"
},
"product_reference": "python313-dulwich-1.2.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-dulwich-1.2.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le"
},
"product_reference": "python313-dulwich-1.2.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-dulwich-1.2.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x"
},
"product_reference": "python313-dulwich-1.2.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-dulwich-1.2.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64"
},
"product_reference": "python313-dulwich-1.2.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-dulwich-1.2.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64"
},
"product_reference": "python314-dulwich-1.2.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-dulwich-1.2.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le"
},
"product_reference": "python314-dulwich-1.2.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-dulwich-1.2.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x"
},
"product_reference": "python314-dulwich-1.2.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-dulwich-1.2.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
},
"product_reference": "python314-dulwich-1.2.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-42305",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42305"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42305",
"url": "https://www.suse.com/security/cve/CVE-2026-42305"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-29T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-42305"
},
{
"cve": "CVE-2026-42563",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42563"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42563",
"url": "https://www.suse.com/security/cve/CVE-2026-42563"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-29T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-42563"
},
{
"cve": "CVE-2026-47712",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-47712"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-47712",
"url": "https://www.suse.com/security/cve/CVE-2026-47712"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
"openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-29T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-47712"
}
]
}