[oss-security] Dulwich security issue (fwd)
Adi Kriegisch
adi at cg.tuwien.ac.at
Mon Mar 23 11:00:03 EDT 2015
Hey!
> >...anything we need to do about that?
> I don't know. I guess all we can do is to inform all users that they
> probably have it installed as a dependency and that they should
> upgrade. We could perhaps make a "secure" version mandatory in next
> release.
Ok... Kallithea depends on:
dulwich>=0.9.3,<=0.9.7
for which the original patch does apply. Backporting to 0.9.7 is easy
because the relevant parts of the patch apply cleanly (see attached patch).
> I can however not find the mentioned 0.9.9 anywhere, and pip only
> has a 0.10.0 which also don't have any release notes and I don't
> know how backwards compatible it is.
It does not work with Kallithea; 'pip install -U dulwich' was the first
thing I tried... ;-)
0.9.9 seems to be a fix for 0.9.8 that does a version update too but it
does not seem to be pip installable from any known sources.
I downloaded the source locally, applied the patch and installed within the
venv. Actually I hope Kallithea will soon be Debian packaged to make fixing
of issues like that easier... :)
Thanks for your response!
-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2015-0838-backport-0.9.7.patch
Type: text/x-diff
Size: 1904 bytes
Desc: not available
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20150323/264737cb/attachment.patch>
More information about the kallithea-general
mailing list