[3.7] bzr: does not strip bzr+ssh SSH options (CVE-2017-14176) (#8298) · Issues · alpine / aports

[3.7] bzr: does not strip bzr+ssh SSH options (CVE-2017-14176)

Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute
arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname

Fixed In Version:

bzr 3.0

References:

https://bugs.launchpad.net/bzr/+bug/1710979
https://nvd.nist.gov/vuln/detail/CVE-2017-14176

Patch:

https://lists.nongnu.org/archive/html/guix-patches/2017-12/msg00029.html

(from redmine: issue id 8298, created on 2017-12-14, closed on 2018-01-02)

Relations:
- parent #8296 (closed)
Changesets:
- Revision 32b1d336 on 2017-12-29T10:51:14Z:

community/bzr: security fix (CVE-2017-14176)

Fixes #8298

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information