|
|
Log in / Subscribe / Register

Ubuntu alert USN-8303-1 (python-git)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8303-1] GitPython vulnerabilities


Date:
              Wed, 27 May 2026 01:40:42 +0000


Message-ID:
              <E1wS3GE-00085w-0U@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8303-1
May 26, 2026

python-git vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in GitPython.

Software Description:
- python-git: A python library used to interact with Git repositories

Details:

Santos Gallegos discovered that GitPython did not properly validate
paths when resolving certain Git references. An attacker could possibly
use this issue to cause files outside the .git directory to be accessed,
leading to a denial of service. This issue only affected Ubuntu 14.04
LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu
22.04 LTS. (CVE-2023-41040)

Wes Ring discovered that GitPython did not properly block certain unsafe
Git options when they were provided as Python keyword arguments. An
attacker could possibly use this issue to cause arbitrary command
execution. (CVE-2026-42215)

It was discovered that GitPython did not properly validate clone options
before processing them. An attacker could possibly use this issue to
inject unsafe Git configuration, leading to arbitrary command execution
through Git hooks. This issue only affected Ubuntu 20.04 LTS, Ubuntu
22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-42284)

It was discovered that GitPython did not properly validate reference
paths during reference operations. An attacker could possibly use this
issue to write, overwrite, move, or delete files outside the repository.
(CVE-2026-44243)

Dan Aridor discovered that GitPython did not properly validate
configuration values before writing them to Git configuration files. An
attacker could possibly use this issue to inject unsafe Git
configuration, leading to arbitrary command execution through Git hooks.
(CVE-2026-44244)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  python-git-doc                  3.1.46-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  python3-git                     3.1.46-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 24.04 LTS
  python-git-doc                  3.1.37-3ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  python3-git                     3.1.37-3ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  python-git-doc                  3.1.24-1ubuntu0.1~esm3
                                  Available with Ubuntu Pro
  python3-git                     3.1.24-1ubuntu0.1~esm3
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  python-git-doc                  3.0.7-1ubuntu0.1~esm4
                                  Available with Ubuntu Pro
  python3-git                     3.0.7-1ubuntu0.1~esm4
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  python-git                      2.1.8-1ubuntu0.1~esm4
                                  Available with Ubuntu Pro
  python-git-doc                  2.1.8-1ubuntu0.1~esm4
                                  Available with Ubuntu Pro
  python3-git                     2.1.8-1ubuntu0.1~esm4
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  python-git                      1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm4
                                  Available with Ubuntu Pro
  python-git-doc                  1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm4
                                  Available with Ubuntu Pro
  python3-git                     1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm4
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS
  python-git                      0.3.2~RC1-3ubuntu0.1~esm3
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8303-1
  CVE-2023-41040, CVE-2026-42215, CVE-2026-42284, CVE-2026-44243,
  CVE-2026-44244




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmoWSxYACgkQcpJm3tlz
hgEcxA/+OBLl+/wcVrkhNdfefb7gd3y78Df+ajPRvF1+FV1KDtwE3MwmbgjViPJx
hqZhclVhPs0z1M2bZBUhk8EGiesOP34v5snpv5N9qTr8ATuEouY7LPTYpO2P0L9/
oAlTI3p9oTVBXZvwBXT8D1+rZTiqXg/43ffIadIOYXz2wRIUNoadSO5taR7tesgq
TwA3FMzUPgwEdR6/Lqobg/2dQFjQDESv2qXVAsPXI+joH+5SYXr9e1YDr0AdLkNj
oCaavvkNnfbb/nwY7oeAuu7jXAhN0umy2x8CsvD2EoUSW7QEpP47J9L+8YtDV4Oe
qqoT1tJHo6HgqkaWhzyAF+1C3Vr8BzJSGSg0vPVWOu46+9EB/WduUXm3fPFUpYyf
lokpmTNaU6mZqhMI62oFXrNi49P14PuXQZdopVfzw/r/GhC/aNsMD+9nP+NviC5V
Lrd/WQ2zyRZyqifZgkamRfC8vrDVhk038u9aAngEcKnj7KEPBFMaca+DdLF9iEf1
vGULX4qTGyTb0IFh8ueadzAbOU6HRZpDFm/iv2ycynzfH1tQ7AoHhJUjNk/enJbd
1MytQOvK/T6XepnQISftDvbRiCuP9x93WdqG3p4SDQG1KZxaLpMq/VmFGXyEE5hR
LY1ZpCT+ORKhJFD1wmwxUPV6Wze0kwN+hAU/KB4MzF+6Dyzk6tY=
=nCFI
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds