Source: dulwich Version: 0.9.8-1 Severity: grave Tags: security upstream fixed-upstream
Hi Jelmer, the following vulnerability got a separate CVE assigned after asking for it on oss-security. I choose grave as severity as it allows arbitrary code execution, if one clones from a remote git repo and subsequently commits via dulwich. Please let me know if you don't agree. CVE-2014-9706[0]: does not prevent to write files in commits with invalid paths to working tree If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-9706 Please adjust the affected versions in the BTS as needed (I guess the issue is also present in 0.8.5, but have not yet checked this). Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
