Note:
This project will be discontinued after December 13, 2021. [more]
2017-08-24
CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
| Products | Ubuntu_linux, Debian_linux, Cvs |
| Type | ? (NVD-CWE-noinfo) |
| First patch | - None (likely due to unavailable code) |
| Links |
• https://bugzilla.redhat.com/show_bug.cgi?id=1480800
• http://www.securityfocus.com/bid/100279 • http://lists.nongnu.org/archive/html/bug-cvs/2017-08/msg00000.html • http://www.openwall.com/lists/oss-security/2017/08/11/1 • https://security.gentoo.org/glsa/201709-17 |