Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-dulwich for openSUSE:Factory checked in at 2026-07-06 12:30:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-dulwich (Old) and /work/SRC/openSUSE:Factory/.python-dulwich.new.1982 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-dulwich" Mon Jul 6 12:30:39 2026 rev:73 rq:1363778 version:1.2.7 Changes: -------- --- /work/SRC/openSUSE:Factory/python-dulwich/python-dulwich.changes 2026-05-29 18:14:33.433000731 +0200 +++ /work/SRC/openSUSE:Factory/.python-dulwich.new.1982/python-dulwich.changes 2026-07-06 12:32:43.856220387 +0200 @@ -1,0 +2,67 @@ +Sat Jun 27 15:30:21 UTC 2026 - Dirk Müller <[email protected]> + +- update to 1.2.7 (bsc#1268128, CVE-2026-42305): + * Verify that an object retrieved by id actually hashes to the + requested id, raising ``ChecksumMismatch`` otherwise. + * Check out files whose names contain a colon or backslash. The + NTFS path validator rejected any element containing + ``:`` or ````, so such files were silently dropped on clone. + It now rejects only the ``.git``/``git~1`` + * alternate-data-stream spellings, like git. + * Abort the checkout when a tree entry has an invalid path + (e.g. a ``.git`` alias) instead of silently skipping it. + * Reject pack names containing path separators in the dumb HTTP + transport, so a malicious server can no longer escape the + temporary directory. + * SECURITY: Don't expand config ``include`` directives when + parsing ``.gitmodules``, so a crafted ``.gitmodules`` in a cloned + repository can no longer make ``clone --recurse-submodules`` + read arbitrary files. + * SECURITY: Validate ref names before resolving them to a path, + so a client-supplied name like ``../../secret`` can no longer read + a file outside the ref store. This closes a traversal via git- + upload-archive's ``argument`` and other lookup paths. + * Add ``porcelain.request_pull`` and a ``dulwich request-pull`` + command that generate a summary of pending changes between + repositories, suitable for emailing to a maintainer, like + ``git request- pull``. + * Add ``porcelain.range_diff`` and a ``dulwich range-diff`` + command that compare two ranges of commits and show how a + patch series evolved, like ``git range-diff``. Requires the + ``munkres`` package, installable via the + ``dulwich[range_diff]`` extra. (Jelmer Vernooij, #1828) + * Fix ``apply_patch`` writing index entries with mode ``0``, + which made native git abort with ``unsupported ce_mode: 0``. + The file mode is now derived from the work-tree file. + * Fix deepening of a local shallow fetch. Re-fetching with a + larger ``depth`` moved the shallow boundary but did not + transfer the newly-uncovered commits, because the parents + provider still used the old boundary. (Jelmer Vernooij) + * Fix ``gc``/``repack`` on Windows raising ``PermissionError`` + when removing read-only pack files (as written by git). The read- + only attribute is now cleared before unlinking. (Jelmer Vernooij) + * Fix ``repack`` leaking a temporary pack file when the + consolidated pack was identical to one already on disk. + The orphaned file accumulated in the pack directory + * SECURITY: Honor ``core.protectNTFS``/``core.protectHFS`` on + all work-tree updates. The 1.2.5 path hardening (CVE-2026-42305) + only reached ``checkout`` and ``reset``; ``update_working_tree`` + (used by ``merge``, ``pull`` and others) fell back to the default + validator, so a crafted branch could still check out an NTFS-unsafe name + such as ``git~2`` even with ``core.protectNTFS=true``. + * SECURITY: Reject patch target paths that escape the work tree + in ``apply_patches``. Patch headers are untrusted (e.g. ``git + am`` of a mailbox), so a ``+++``/rename path such as + ``../../etc/cron.d/x`` or an absolute path was joined onto + the repo path and written outside the working tree. + * ``porcelain``: Validate caller-supplied paths in + ``checkout``, ``restore`` and ``reset_file`` before writing, + as defense in depth, so a ``.git`` or ``..`` component + (including NTFS/HFS ``.git`` aliases) cannot escape the work + tree or write into the control directory. + * Remove the ``force_remove_untracked`` argument from + * ``index.update_working_tree``. It had been a no-op since the + function was rewritten to apply changes from a diff iterator, and + removing untracked files is not part of ``reset --hard`` semantics. + +------------------------------------------------------------------- Old: ---- dulwich-1.2.5.tar.gz New: ---- dulwich-1.2.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-dulwich.spec ++++++ --- /var/tmp/diff_new_pack.dliEpR/_old 2026-07-06 12:32:44.488242333 +0200 +++ /var/tmp/diff_new_pack.dliEpR/_new 2026-07-06 12:32:44.492242471 +0200 @@ -25,7 +25,7 @@ %{?sle15_python_module_pythons} %define oldpython python Name: python-dulwich -Version: 1.2.5 +Version: 1.2.7 Release: 0 Summary: Pure-Python Git Library License: Apache-2.0 OR GPL-2.0-or-later ++++++ dulwich-1.2.5.tar.gz -> dulwich-1.2.7.tar.gz ++++++ ++++ 7810 lines of diff (skipped)
