CVE-2017-12976: A hostname starting with a dash would get passed to ssh and be treated as
an option. This could be used by an attacker who provides a crafted
repository url to cause the victim to execute arbitrary code via
`-oProxyCommand`.

Fixed in git-annex 6.20170818

This is related to a git security hole, [CVE-2017-1000117](https://marc.info/?l=git&m=150238802328673&w=2).

[[!meta date="Fri, 18 Aug 2017 11:19:06 -0400"]]