Upgrade dulwich to 1.2.5 to close CVE-2026-42305 in git operations
What this changes for operators
- Operator must re-resolve poetry.lock (enterprise and root) and rebuild backend images to ship patched dulwich; git operations run inside the agent runtime path.
- Distinct from the frontend CVEs: this is a backend Python git library, different surface and different verification (lockfile pin, not frontend bundle).
- Verification path: confirm dulwich>=1.2.5 in deployed poetry.lock / installed environment.
Signal metadata
Source findings
- Security: Fix CVE-2026-42305 via dulwich upgrade to 1.2.5 2026-06-03-openhands-cve-2026-42305-dulwich
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
Schema: bitter.frontier_signals.v0 · ID: 2026-06-03-openhands-cve-dulwich-git-lib
Signals are produced by the Bitter autonomous research loop.