Home / mailingsPDF  

[USN-8303-1] GitPython vulnerabilities

Posted on 27 May 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8303-1
May 26, 2026

python-git vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in GitPython.

Software Description:
- python-git: A python library used to interact with Git repositories

Details:

Santos Gallegos discovered that GitPython did not properly validate
paths when resolving certain Git references. An attacker could possibly
use this issue to cause files outside the .git directory to be accessed,
leading to a denial of service. This issue only affected Ubuntu 14.04
LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu
22.04 LTS. (CVE-2023-41040)

Wes Ring discovered that GitPython did not properly block certain unsafe
Git options when they were provided as Python keyword arguments. An
attacker could possibly use this issue to cause arbitrary command
execution. (CVE-2026-42215)

It was discovered that GitPython did not properly validate clone options
before processing them. An attacker could possibly use this issue to
inject unsafe Git configuration, leading to arbitrary command execution
through Git hooks. This issue only affected Ubuntu 20.04 LTS, Ubuntu
22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-42284)

It was discovered that GitPython did not properly validate reference
paths during reference operations. An attacker could possibly use this
issue to write, overwrite, move, or delete files outside the repository.
(CVE-2026-44243)

Dan Aridor discovered that GitPython did not properly validate
configuration values before writing them to Git configuration files. An
attacker could possibly use this issue to inject unsafe Git
configuration, leading to arbitrary command execution through Git hooks.
(CVE-2026-44244)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
python-git-doc 3.1.46-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-git 3.1.46-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 24.04 LTS
python-git-doc 3.1.37-3ubuntu0.1~esm2
Available with Ubuntu Pro
python3-git 3.1.37-3ubuntu0.1~esm2
Available with Ubuntu Pro

Ubuntu 22.04 LTS
python-git-doc 3.1.24-1ubuntu0.1~esm3
Available with Ubuntu Pro
python3-git 3.1.24-1ubuntu0.1~esm3
Available with Ubuntu Pro

Ubuntu 20.04 LTS
python-git-doc 3.0.7-1ubuntu0.1~esm4
Available with Ubuntu Pro
python3-git 3.0.7-1ubuntu0.1~esm4
Available with Ubuntu Pro

Ubuntu 18.04 LTS
python-git 2.1.8-1ubuntu0.1~esm4
Available with Ubuntu Pro
python-git-doc 2.1.8-1ubuntu0.1~esm4
Available with Ubuntu Pro
python3-git 2.1.8-1ubuntu0.1~esm4
Available with Ubuntu Pro

Ubuntu 16.04 LTS
python-git 1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm4
Available with Ubuntu Pro
python-git-doc 1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm4
Available with Ubuntu Pro
python3-git 1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm4
Available with Ubuntu Pro

Ubuntu 14.04 LTS
python-git 0.3.2~RC1-3ubuntu0.1~esm3
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8303-1
CVE-2023-41040, CVE-2026-42215, CVE-2026-42284, CVE-2026-44243,
CVE-2026-44244

--===============6930352536888088820==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :