Candidate: CVE-2017-17459
PublicDate: 2017-12-07 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459
 https://www.fossil-scm.org/xfer/info/1f63db591c77108c
 https://bugzilla.opensuse.org/show_bug.cgi?id=1071709
 https://www.fossil-scm.org/xfer/doc/trunk/www/changes.wiki#v2_4
Description:
 http_transport.c in Fossil before 2.4, when the SSH sync protocol is used,
 allows user-assisted remote attackers to execute arbitrary commands via an
 ssh URL with an initial dash character in the hostname, a related issue to
 CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176,
 CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_fossil:
upstream_fossil: released (1:2.4-1)
precise/esm_fossil: DNE
trusty_fossil: ignored (reached end-of-life)
trusty/esm_fossil: DNE (trusty was needed)
xenial_fossil: ignored (end of standard support, was needed)
zesty_fossil: ignored (reached end-of-life)
artful_fossil: ignored (reached end-of-life)
bionic_fossil: not-affected (1:2.5-1)
cosmic_fossil: not-affected (1:2.5-1)
disco_fossil: not-affected (1:2.5-1)
eoan_fossil: not-affected (1:2.5-1)
focal_fossil: not-affected (1:2.5-1)
groovy_fossil: not-affected (1:2.5-1)
hirsute_fossil: not-affected (1:2.5-1)
impish_fossil: not-affected (1:2.5-1)
jammy_fossil: not-affected (1:2.5-1)
devel_fossil: not-affected (1:2.5-1)