Package: python-git / 3.1.30-1+deb12u2

Metadata

Package Version Patches format
python-git 3.1.30-1+deb12u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2023 40267.patch | (download)

git/repo/base.py | 2 2 + 0 - 0 !
test/test_repo.py | 22 22 + 0 - 0 !
2 files changed, 24 insertions(+)

 [patch] block insecure non-multi options in clone/clone_from
 Follow-up to #1521


CVE 2023 41040.patch | (download)

git/refs/symbolic.py | 2 2 + 0 - 0 !
test/test_refs.py | 15 15 + 0 - 0 !
2 files changed, 17 insertions(+)

 fix cve-2023-41040

This change adds a check during reference resolving to see if it
contains an up-level reference ('..'). If it does, it raises an
exception.

This fixes CVE-2023-41040, which allows an attacker to access files
outside the repository's directory.