Overview

File _patchinfo of Package patchinfo.7168

<patchinfo incident="7168">
  <issue id="1054653" tracker="bnc">VUL-0: CVE-2017-12976: git-annex: before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand  URL, a related issue to CVE-</issue>
  <issue id="2017-12976" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>psimons</packager>
  <description>This update for git-annex fixes the following issues:

- CVE-2017-12976: 
    Disallow hostname starting with a dash, which
    would get passed to ssh and be treated an option. This could
    be used by an attacker who provides a crafted repository url
    to cause the victim to execute arbitrary code via -oProxyCommand. (boo#1054653). 
</description>
  <summary>Security update for git-annex</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places