This update for python-dulwich to version 0.18.5 fixes this security issue:
CVE-2017-16228: Dulwich, when an SSH subprocess is used, allowed remote
attackers to execute arbitrary commands via an ssh URL with an initial dash
character in the hostname (bsc#1066430).
For detailed changes please see https://www.dulwich.io/code/dulwich/