Candidate: CVE-2017-16228
PublicDate: 2017-10-29 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16228
 https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/
 https://tracker.debian.org/news/882440
 https://www.dulwich.io/code/dulwich/
 https://www.bleepingcomputer.com/news/security/git-project-patches-remote-code-execution-vulnerability-in-git/
Description:
 Dulwich before 0.18.5, when an SSH subprocess is used, allows remote
 attackers to execute arbitrary commands via an ssh URL with an initial dash
 character in the hostname, a related issue to CVE-2017-9800,
 CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_dulwich:
 upstream: https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/
upstream_dulwich: released (0.18.5-1)
precise/esm_dulwich: DNE
trusty_dulwich: ignored (reached end-of-life)
trusty/esm_dulwich: DNE (trusty was needed)
xenial_dulwich: ignored (end of standard support, was needed)
zesty_dulwich: ignored (reached end-of-life)
artful_dulwich: ignored (reached end-of-life)
bionic_dulwich: not-affected (0.18.5-1)
cosmic_dulwich: not-affected (0.18.5-1)
disco_dulwich: not-affected (0.18.5-1)
eoan_dulwich: not-affected (0.18.5-1)
focal_dulwich: not-affected (0.18.5-1)
groovy_dulwich: not-affected (0.18.5-1)
hirsute_dulwich: not-affected (0.18.5-1)
impish_dulwich: not-affected (0.18.5-1)
jammy_dulwich: not-affected (0.18.5-1)
devel_dulwich: not-affected (0.18.5-1)