Apache Log4j Unauthenticated Remote Code Execution

Summary

Apache Log4j, a logging library used in many software applications, has a flaw that allows attackers to execute malicious code on a server without needing a password. This could lead to unauthorized access and data theft. Update to the latest version of Log4j to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Ecosystem	Vendor	Product	Affected versions
Ubuntu:Pro:14.04:LTS	canonical	python-git	All versions
Ubuntu:Pro:16.04:LTS	canonical	python-git	All versions
Ubuntu:Pro:18.04:LTS	canonical	python-git	All versions
Ubuntu:Pro:20.04:LTS	canonical	python-git	All versions
Ubuntu:Pro:22.04:LTS	canonical	python-git	All versions
Ubuntu:24.04:LTS	canonical	python-git	All versions
Ubuntu:25.10	canonical	python-git	All versions
Ubuntu:26.04	canonical	python-git	All versions

Original title

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_option...

Original description

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.

https://ubuntu.com/security/CVE-2026-42284 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2026-42284 Third Party Advisory
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-... Third Party Advisory