Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted dulwich 1.2.5-1 (source) into unstable
Date: Thu, 28 May 2026 23:39:06 +0000
Signed by: Jelmer Vernooij <jelmer@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 May 2026 22:58:58 +0100
Source: dulwich
Architecture: source
Version: 1.2.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Jelmer Vernooĳ <jelmer@debian.org>
Changes:
 dulwich (1.2.5-1) unstable; urgency=medium
 .
   * New upstream release, fixing several security issues:
     - Validate submodule paths in porcelain.submodule_update (and thus
       porcelain.clone with recurse_submodules=True). The dulwich analogue
       of git's CVE-2024-32002 / CVE-2024-32004 (GHSA-gfhv-vqv2-4544).
     - CVE-2026-42305: Harden tree path validation against entry names that
       are harmless on POSIX but dangerous when checked out on Windows.
     - CVE-2026-42563: Shell-quote values substituted into
       ProcessMergeDriver commands.
     - CVE-2026-47712: Sanitize commit subjects used in
       porcelain.format_patch filenames to prevent path traversal.
     - CVE-2026-47734: Honour receive.maxInputSize in ReceivePackHandler to
       bound memory allocation from crafted packs over git-receive-pack.
   * Add patch older-similar: Downgrade similar crate to version 2.
Checksums-Sha1:
 4aca8318017653d960ffd83c96e9d53f2c66124e 2245 dulwich_1.2.5-1.dsc
 512e3fb7eeb185c9f8cbd233755b3753784cb7c0 1248388 dulwich_1.2.5.orig.tar.gz
 593d24e0091e1d552d26581994e7f3bb6835b6d1 10032 dulwich_1.2.5-1.debian.tar.xz
 15573bfc0da43ca6632ca6a5322592d7550d2f72 32966 dulwich_1.2.5-1_source.buildinfo
Checksums-Sha256:
 81d797da517999d4ab47a5815c84d3e782a497c8bb6da9c4a690c517cefff646 2245 dulwich_1.2.5-1.dsc
 c86b8add1cd4587977bd886e610e3bc06f1e0b99507e942ea6fdb5bdb27f7826 1248388 dulwich_1.2.5.orig.tar.gz
 7b305cbddb99879c3147691b70645d4dddd078b6492c5ce9eccbb1da5878d935 10032 dulwich_1.2.5-1.debian.tar.xz
 176bcd198d969a7efec5ff6b4188097ea1b424385e96369bb821ff96cd1a34d3 32966 dulwich_1.2.5-1_source.buildinfo
Files:
 f476fe526330bc6dc3d481e0833664b7 2245 python optional dulwich_1.2.5-1.dsc
 18ad27e2f8b815e63fc1bb6f6a48c9b7 1248388 python optional dulwich_1.2.5.orig.tar.gz
 70f9f8442031b8ffc0d8d2e682d7c832 10032 python optional dulwich_1.2.5-1.debian.tar.xz
 8b15334d1f0522e3025d5c91eaccc366 32966 python optional dulwich_1.2.5-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEE45ORIHAv6kHRgdNzhp0ktO57TaYFAmoYxaESHGplbG1lckBk
ZWJpYW4ub3JnAAoJEIadJLTue02m2cAIAJQe3O17haJncw+83cdE+Cgqt8bVdMM6
Zi3zUgZ09rn3QpeRkn6/vGlaeODcgYCYTsNafQW7hW+mqLuP4bKti58Ac1G7U+iS
VqrY1g4gtQ3nvYgPXKoPZ70Sg2cj2uobKrqW0Dz3oe249kotNQFC7E6zR9xzxNsF
mI9qOTY2MEj1R2ZiLVnAii2hrBnVbcapGBaF05O/8thWDLadNtiJsmmphdTadsaJ
OgtLopJIqgrdAu7Vw3hRSOC9fEDsI/HpS6rIqxdIYb6WJ/7YdNWSyoY6x5sHs1ha
qnA6xzuRkhaHcxBl34iFuyZ/UFxmfKlge97JlGQWlCjFwP9s21eTyIM=
=ISwK
-----END PGP SIGNATURE-----
News for package dulwich
