CVE-2023-40267

Name	CVE-2023-40267
Description	GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3502-1
Debian Bugs	1043503

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python-git (PTS)	buster	2.1.11-1	vulnerable
	buster (security)	2.1.11-1+deb10u2	fixed
	bullseye	3.1.14-1	vulnerable
	bookworm	3.1.30-1+deb12u2	fixed
	sid, trixie	3.1.37-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
python-git	source	buster	2.1.11-1+deb10u1	DLA-3502-1
python-git	source	bookworm	3.1.30-1+deb12u2
python-git	source	(unstable)	3.1.36-1		1043503

Notes

[bullseye] - python-git <no-dsa> (Minor issue)
https://github.com/gitpython-developers/GitPython/pull/1609
https://github.com/gitpython-developers/GitPython/commit/5c59e0d63da6180db8a0b349f0ad36fef42aceed (3.1.32)