From c76ba5a15e94b6b948d5302f2badc8058c3ddadc Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Sun, 20 Aug 2017 16:50:53 -0400
Subject: [PATCH] CVE-2017-12976

---
 CHANGELOG                                       | 1 +
 doc/bugs/dashed_ssh_hostname_security_hole.mdwn | 2 ++
 doc/news/version_6.20170818.mdwn                | 2 +-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 0c0f5631f8..05f13456f9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,7 @@ git-annex (6.20170818) unstable; urgency=high
     would get passed to ssh and be treated an option. This could
     be used by an attacker who provides a crafted repository url
     to cause the victim to execute arbitrary code via -oProxyCommand.
+    CVE-2017-12976
     (The same class of security hole recently affected git itself.)
   * git-annex.cabal: Deal with breaking changes in Cabal 2.0.
   * Fix build with QuickCheck 2.10.
diff --git a/doc/bugs/dashed_ssh_hostname_security_hole.mdwn b/doc/bugs/dashed_ssh_hostname_security_hole.mdwn
index 048f9597b7..cdae023913 100644
--- a/doc/bugs/dashed_ssh_hostname_security_hole.mdwn
+++ b/doc/bugs/dashed_ssh_hostname_security_hole.mdwn
@@ -19,6 +19,8 @@ This was fixed in version 6.20170818. Now there's a SshHost type that
 is not allowed to start with a dash, and every invocation of ssh is
 in a function that takes a SshHost. 
 
+CVE-2017-12976 has been assigned for this issue.
+
 [[done]]
 
 --[[Joey]]
diff --git a/doc/news/version_6.20170818.mdwn b/doc/news/version_6.20170818.mdwn
index 97ad292ead..388f36562b 100644
--- a/doc/news/version_6.20170818.mdwn
+++ b/doc/news/version_6.20170818.mdwn
@@ -3,7 +3,7 @@ recommended. Attacks using this security hole will involve the attacker
 either providing a ssh repository url to the user, or the user pulling from
 a git-annex repository provided by an attacker and then running `git annex
 enableremote`. For details about the security hole, see
-[[bugs/dashed_ssh_hostname_security_hole]].
+[[bugs/dashed_ssh_hostname_security_hole]]. CVE-2017-12976
 
 git-annex 6.20170818 released with [[!toggle text="these changes"]]
 [[!toggleable text="""