Fedora Account System
Red Hat Associate
Red Hat Customer
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117. Upstream patch: https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/
Created python-dulwich tracking bugs for this issue: Affects: epel-all [bug 1509304] Affects: fedora-all [bug 1509305]
OpenStack reno is the package that requires python-dulwich. However, it does not use the vulnerable function within python-dulwich. The functionality used by reno is for manipulating git repositories on disk.