Description
CVS 1.12.x, when configured to use SSH for remote repositories, might allow
remote attackers to execute arbitrary code via a repository URL with a
crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
Notes
sbeattie | patch in debian bug report |
Package
Upstream: | released
(2:1.12.13+real-24)
|
Ubuntu 16.04 ESM: | released
(2:1.12.13+real-15ubuntu0.1)
|
Ubuntu 14.04 ESM: | DNE
(trusty was released [2:1.12.13+real-12ubuntu0.1])
|
Patches:
Updated: 2022-04-13 12:53:48 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)