Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#65227 - [bzr] CVE-2017-14176

Attached to Project: Arch Linux
Opened by loqs (loqs) - Tuesday, 21 January 2020, 13:25 GMT
Last edited by freswa (frederik) - Thursday, 13 February 2020, 12:39 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname.

Additional info:
* bzr 2.7.0-3
* (fix was applied to breezy but not backported to bzr)
* (patch as backported by Debian)
This task depends upon

Closed by  freswa (frederik)
Thursday, 13 February 2020, 12:39 GMT
Reason for closing:  Fixed
Additional comments about closing:  breezy