CVE-2017-12836 in Ubuntu

CVE-2017-12836

Priority

Description

CVS 1.12.x, when configured to use SSH for remote repositories, might allow
remote attackers to execute arbitrary code via a repository URL with a
crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836
http://www.openwall.com/lists/oss-security/2017/08/11/1
https://ubuntu.com/security/notices/USN-3399-1

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810

Assigned-to

leosilva

Notes

sbeattie

patch in debian bug report

Package

Source: cvs (LP Ubuntu Debian)

Upstream:	released (2:1.12.13+real-24)
Ubuntu 16.04 ESM:	released (2:1.12.13+real-15ubuntu0.1)
Ubuntu 14.04 ESM:	DNE (trusty was released [2:1.12.13+real-12ubuntu0.1])

Patches:

More Information

Mitre
NVD
Launchpad
Debian

Updated: 2022-04-13 12:53:48 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)