Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2017-12836

Published: 13 August 2017

CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."

Notes

AuthorNote
sbeattie 
patch in debian bug report

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
cvs
Launchpad, Ubuntu, Debian 		upstream
Released (2:1.12.13+real-24)
precise Does not exist

trusty Does not exist
(trusty was released [2:1.12.13+real-12ubuntu0.1])
xenial
Released (2:1.12.13+real-15ubuntu0.1)
zesty
Released (2:1.12.13+real-22ubuntu0.1)

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading