Security update for git-annex SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2309-1 Final 1 1 2017-08-30T21:19:00Z current 2017-08-30T21:19:00Z 2017-08-30T21:19:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for git-annex This update for git-annex fixes the following issues: - CVE-2017-12976: Disallow hostname starting with a dash, which would get passed to ssh and be treated an option. This could be used by an attacker who provides a crafted repository url to cause the victim to execute arbitrary code via -oProxyCommand. (boo#1054653). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-08/msg00115.html E-Mail link for openSUSE-SU-2017:2309-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 git-annex-6.20170818-3.1 git-annex-bash-completion-6.20170818-3.1 git-annex-6.20170818-3.1 as a component of openSUSE Leap 42.2 git-annex-bash-completion-6.20170818-3.1 as a component of openSUSE Leap 42.2 git-annex-6.20170818-3.1 as a component of openSUSE Leap 42.3 git-annex-bash-completion-6.20170818-3.1 as a component of openSUSE Leap 42.3 git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117. CVE-2017-12976 openSUSE Leap 42.2:git-annex-6.20170818-3.1 openSUSE Leap 42.2:git-annex-bash-completion-6.20170818-3.1 openSUSE Leap 42.3:git-annex-6.20170818-3.1 openSUSE Leap 42.3:git-annex-bash-completion-6.20170818-3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00115.html https://www.suse.com/security/cve/CVE-2017-12976.html CVE-2017-12976 https://bugzilla.suse.com/1052481 SUSE Bug 1052481 https://bugzilla.suse.com/1052696 SUSE Bug 1052696 https://bugzilla.suse.com/1052932 SUSE Bug 1052932 https://bugzilla.suse.com/1053364 SUSE Bug 1053364 https://bugzilla.suse.com/1053919 SUSE Bug 1053919 https://bugzilla.suse.com/1054653 SUSE Bug 1054653 https://bugzilla.suse.com/1066430 SUSE Bug 1066430 https://bugzilla.suse.com/1071709 SUSE Bug 1071709