[3.7] bzr: does not strip bzr+ssh SSH options (CVE-2017-14176)
Bazaar through 2.7.0, when Subprocess SSH is used, allows remote
attackers to execute
arbitrary commands via a bzr+ssh URL with an initial dash character in
the hostname
Fixed In Version:
bzr 3.0
References:
https://bugs.launchpad.net/bzr/+bug/1710979
https://nvd.nist.gov/vuln/detail/CVE-2017-14176
Patch:
https://lists.nongnu.org/archive/html/guix-patches/2017-12/msg00029.html
(from redmine: issue id 8298, created on 2017-12-14, closed on 2018-01-02)
- Relations:
- parent #8296 (closed)
- Changesets:
- Revision 32b1d336 on 2017-12-29T10:51:14Z:
community/bzr: security fix (CVE-2017-14176)
Fixes #8298