[Secure-testing-team] Bug#874429: bzr: bzr+ssh URLs don't strip SSH options
Salvatore Bonaccorso
carnil at debian.org
Wed Sep 6 04:37:15 UTC 2017
Source: bzr
Version: 2.6.0+bzr6595-6
Severity: grave
Tags: upstream security
Justification: user security hole
Control: fixed -1 2.7.0+bzr6622-7
Hi
This is handled already in unstable with 2.7.0+bzr6622-7, this bug is
to track the issue until the CVE is assigned and properly identified
via a CVE. A CVE was apparently requested, reading LP #1710979.
bzr (2.7.0+bzr6622-7) unstable; urgency=high
* Add patch 27_fix_sec_ssh: Strip out hostnames starting with dash in
bzr+ssh URLs, as they might allow an attacker to provide SSH command-
line flags. LP: #1710979
https://bugs.launchpad.net/bzr/+bug/1710979
Regards,
Salvatore
More information about the Secure-testing-team
mailing list