11 lines
431 B
Text
11 lines
431 B
Text
|
CVE-2017-12976: A hostname starting with a dash would get passed to ssh and be treated as
|
||
|
an option. This could be used by an attacker who provides a crafted
|
||
|
repository url to cause the victim to execute arbitrary code via
|
||
|
`-oProxyCommand`.
|
||
|
|
||
|
Fixed in git-annex 6.20170818
|
||
|
|
||
|
This is related to a git security hole, [CVE-2017-1000117](https://marc.info/?l=git&m=150238802328673&w=2).
|
||
|
|
||
|
[[!meta date="Fri, 18 Aug 2017 11:19:06 -0400"]]
|