add bug for security hole, with exploit details

doc/bugs/dashed_ssh_hostname_security_hole.mdwn

@@ -0,0 +1,25 @@
+git-annex was vulnerable to the same class of security hole as
+git's CVE-2017-1000117. In several cases, git-annex parses a repository
+url, and uses it to generate a ssh command, with the hostname to ssh to
+coming from the url. If the hostname it parses is something like
+"-eProxyCommand=evil", this could result in arbitrary local code execution
+via ssh.
+
+I have not bothered to try to exploit the problem, and some details of URL
+parsing may prevent the exploit working in some cases.
+
+Exploiting this would involve the attacker tricking the victim into adding
+a remote something like "ssh://-eProxyCommand=evil/blah".
+
+One possible avenue for an attacker that avoids exposing the URL to the
+user is to use initremote with a ssh remote, so embedding the URL in the
+git-annex branch. Then the victim would enable it with enableremote.
+
+This was fixed in version 6.20170818. Now there's a SshHost type that
+is not allowed to start with a dash, and every invocation of git-annex is
+in a function that takes a SshHost. 
+
+[[done]]
+
+--[[Joey]]
+

doc/news/version_6.20170818.mdwn

@@ -1,6 +1,9 @@
-**Note** this is a security fix release. While the security
+**Note** this is a security fix release. A prompt upgrade is strongly
-hole needs perhaps some social engineering to exploit, a prompt upgrade is
+recommended. Attacks using this security hole will involve the attacker
-strongly recommended.
+either providing a ssh repository url to the user, or the user pulling from
+a git-annex repository provided by an attacker and then running `git annex
+enableremote`. For details about the security hole, see
+[[bugs/dashed_ssh_hostname_security_hole]].
 
 git-annex 6.20170818 released with [[!toggle text="these changes"]]
 [[!toggleable text="""