Mageia alert MGASA-2015-0157 (python-dulwich)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2015-0157: Updated python-dulwich packages fix security vulnerabilities 
Date:
    	     
 
Wed, 15 Apr 2015 19:23:15 +0200
Message-ID:
    	     
 
<20150415172315.26A8C48A00@valstar.mageia.org>
MGASA-2015-0157 - Updated python-dulwich packages fix security vulnerabilities

Publication date: 15 Apr 2015
URL: http://advisories.mageia.org/MGASA-2015-0157.html
Type: security
Affected Mageia releases: 4
CVE: CVE-2014-9706,
     CVE-2015-0838

Description:
Updated python-dulwich package fixes security vulnerabilities:

It was discovered that Dulwich allows writing to files under .git/ when
checking out working trees. This could lead to the execution of arbitrary
code with the privileges of the user running an application based on Dulwich
(CVE-2014-9706).

Ivan Fratric of the Google Security Team has found a buffer overflow in the
C implementation of the apply_delta() function, used when accessing Git
objects in pack files. An attacker could take advantage of this flaw to
cause the execution of arbitrary code with the privileges of the user
running a Git server or client based on Dulwich (CVE-2015-0838).

The python-dulwich package has been updated to version 0.10.0, fixing these
issues and other bugs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=15558
- https://www.debian.org/security/2015/dsa-3206
- https://git.samba.org/?p=jelmer/dulwich.git;a=blob;f=NEWS;...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9706
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0838

SRPMS:
- 4/core/python-dulwich-0.10.0-1.mga4