<email address hidden> weakness , remote attackers to execute arbitrary

Bug #1736244 reported by Carl on 2017-12-04
This bug report is a duplicate of:  Bug #1710979: bzr+ssh URLs don't strip SSH options. Edit Remove
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bazaar
Undecided
Unassigned

Bug Description

bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:
SB17-338: Vulnerability Summary for the Week of November 27, 2017
https://www.us-cert.gov/ncas/bulletins/SB17-338

Carl (carlhansen1234) on 2017-12-04
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers