FS#65227 - [bzr] CVE-2017-14176
Attached to Project:
Arch Linux
Opened by loqs (loqs) - Tuesday, 21 January 2020, 13:25 GMT
Last edited by freswa (frederik) - Thursday, 13 February 2020, 12:39 GMT
Opened by loqs (loqs) - Tuesday, 21 January 2020, 13:25 GMT
Last edited by freswa (frederik) - Thursday, 13 February 2020, 12:39 GMT
|
Details
Description:
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname. Additional info: * bzr 2.7.0-3 * https://bugs.launchpad.net/brz/+bug/1710979 * https://bazaar.launchpad.net/~brz/brz/trunk/revision/6754 (fix was applied to breezy but not backported to bzr) * https://sources.debian.org/src/bzr/2.7.0+bzr6622-15/debian/patches/27_fix_sec_ssh/ (patch as backported by Debian) |
This task depends upon
Closed by freswa (frederik)
Thursday, 13 February 2020, 12:39 GMT
Reason for closing: Fixed
Additional comments about closing: breezy 3.0.2.3
Thursday, 13 February 2020, 12:39 GMT
Reason for closing: Fixed
Additional comments about closing: breezy 3.0.2.3