[MacPorts] #55439: bzr: Backport fix for CVE-2017-14176

MacPorts noreply at macports.org
Thu Nov 30 16:09:27 UTC 2017


#55439: bzr: Backport fix for CVE-2017-14176
----------------------+--------------------
 Reporter:  raimue    |      Owner:  raimue
     Type:  defect    |     Status:  new
 Priority:  Normal    |  Milestone:
Component:  ports     |    Version:
 Keywords:  security  |       Port:  bzr
----------------------+--------------------
 Upstream issue: https://bugs.launchpad.net/bzr/+bug/1710979

 {{{
 Bazaar suffers from the same bug that affects Mercuril and Git:

 A hostname that starts with a - is passed on verbatim to the ssh command,
 which means that the host bit in the URL can be used to set arbitrary SSH
 options.

 E.g. bzr log "bzr+ssh://-oProxyCommand=ls/path"

 Presumably this only affects users that are using the Subprocess SSH
 vendor, and not those using the Paramiko SSH Vendor.
 }}}

--
Ticket URL: <https://trac.macports.org/ticket/55439>
MacPorts <https://www.macports.org/>
Ports system for macOS


More information about the macports-tickets mailing list