CVE-2017-1000117

Priority
Medium
Description
A malicious third-party can give a crafted "ssh://..." URL to an
unsuspecting victim, and an attempt to visit the URL can result in
any program that exists on the victim's machine being executed.
Ubuntu-Description
Brian Neel, Joern Schneeweisz, and Jeff King discovered that Git did
not properly handle host names in 'ssh://' URLs. A remote attacker
could use this to construct a git repository that when accessed
could run arbitrary code with the privileges of the user.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
http://marc.info/?l=git&m=150238802328673&w=2
http://www.ubuntu.com/usn/usn-3387-1
Package
Source: git (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 17.10 (Artful Aardvark):pending (1:2.14.1-1ubuntu2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (1:1.9.1-1ubuntu0.6)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (1:2.7.4-0ubuntu1.2)
Ubuntu 17.04 (Zesty Zapus):released (1:2.11.0-2ubuntu0.2)
More Information

Updated: 2017-08-16 00:14:12 UTC (commit 13106)