CVE-2017-12976

CHANGELOG

@@ -4,6 +4,7 @@ git-annex (6.20170818) unstable; urgency=high
     would get passed to ssh and be treated an option. This could
     be used by an attacker who provides a crafted repository url
     to cause the victim to execute arbitrary code via -oProxyCommand.
+    CVE-2017-12976
     (The same class of security hole recently affected git itself.)
   * git-annex.cabal: Deal with breaking changes in Cabal 2.0.
   * Fix build with QuickCheck 2.10.

doc/bugs/dashed_ssh_hostname_security_hole.mdwn

@@ -19,6 +19,8 @@ This was fixed in version 6.20170818. Now there's a SshHost type that
 is not allowed to start with a dash, and every invocation of ssh is
 in a function that takes a SshHost. 
 
+CVE-2017-12976 has been assigned for this issue.
+
 [[done]]
 
 --[[Joey]]

doc/news/version_6.20170818.mdwn

@@ -3,7 +3,7 @@ recommended. Attacks using this security hole will involve the attacker
 either providing a ssh repository url to the user, or the user pulling from
 a git-annex repository provided by an attacker and then running `git annex
 enableremote`. For details about the security hole, see
-[[bugs/dashed_ssh_hostname_security_hole]].
+[[bugs/dashed_ssh_hostname_security_hole]]. CVE-2017-12976
 
 git-annex 6.20170818 released with [[!toggle text="these changes"]]
 [[!toggleable text="""