7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.3 High
AI Score
Confidence
Low
0.164 Low
EPSS
Percentile
96.0%
Debian Security Advisory DSA-3206-1 [email protected]
http://www.debian.org/security/ Salvatore Bonaccorso
March 28, 2015 http://www.debian.org/security/faq
Package : dulwich
CVE ID : CVE-2014-9706 CVE-2015-0838
Debian Bug : 780958 780989
Multiple vulnerabilities have been discovered in Dulwich, a Python
implementation of the file formats and protocols used by the Git version
control system. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2014-9706
It was discovered that Dulwich allows writing to files under .git/
when checking out working trees. This could lead to the execution of
arbitrary code with the privileges of the user running an
application based on Dulwich.
CVE-2015-0838
Ivan Fratric of the Google Security Team has found a buffer
overflow in the C implementation of the apply_delta() function,
used when accessing Git objects in pack files. An attacker could
take advantage of this flaw to cause the execution of arbitrary
code with the privileges of the user running a Git server or client
based on Dulwich.
For the stable distribution (wheezy), these problems have been fixed in
version 0.8.5-2+deb7u2.
For the upcoming stable distribution (jessie), these problems have been
fixed in version 0.9.7-3.
For the unstable distribution (sid), these problems have been fixed in
version 0.10.1-1.
We recommend that you upgrade your dulwich packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 8 | mipsel | python-dulwich-dbg | < 0.9.7-3 | python-dulwich-dbg_0.9.7-3_mipsel.deb |
Debian | 8 | armhf | python-dulwich | < 0.9.7-3 | python-dulwich_0.9.7-3_armhf.deb |
Debian | 8 | powerpc | python-dulwich | < 0.9.7-3 | python-dulwich_0.9.7-3_powerpc.deb |
Debian | 7 | kfreebsd-amd64 | python-dulwich-dbg | < 0.8.5-2+deb7u2 | python-dulwich-dbg_0.8.5-2+deb7u2_kfreebsd-amd64.deb |
Debian | 8 | mipsel | python-dulwich | < 0.9.7-3 | python-dulwich_0.9.7-3_mipsel.deb |
Debian | 7 | sparc | python-dulwich-dbg | < 0.8.5-2+deb7u2 | python-dulwich-dbg_0.8.5-2+deb7u2_sparc.deb |
Debian | 7 | mips | python-dulwich | < 0.8.5-2+deb7u2 | python-dulwich_0.8.5-2+deb7u2_mips.deb |
Debian | 7 | powerpc | python-dulwich | < 0.8.5-2+deb7u2 | python-dulwich_0.8.5-2+deb7u2_powerpc.deb |
Debian | 7 | powerpc | python-dulwich-dbg | < 0.8.5-2+deb7u2 | python-dulwich-dbg_0.8.5-2+deb7u2_powerpc.deb |
Debian | 6 | i386 | python-dulwich | < 0.6.1-1+deb6u1 | python-dulwich_0.6.1-1+deb6u1_i386.deb |