Security update for git-annex
This update for git-annex fixes the following issues:
- CVE-2017-12976:
Disallow hostname starting with a dash, which
would get passed to ssh and be treated an option. This could
be used by an attacker who provides a crafted repository url
to cause the victim to execute arbitrary code via -oProxyCommand. (boo#1054653).
-
Submitted by
Peter Simons (psimons)
Fixed bugs
bnc#1054653
VUL-0: CVE-2017-12976: git-annex: before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand URL, a related issue to CVE-
