Your message dated Fri, 06 Jul 2018 13:32:09 +0000 with message-id <e1fbqqh-0006da...@fasolo.debian.org> and subject line Bug#873088: fixed in git-annex 6.20170101-1+deb9u2 has caused the Debian Bug report #873088, regarding git-annex: remote code execution via crafted SSH URLs (CVE-2017-12976) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 873088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873088 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: git-annex X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: security Hi, the following vulnerability was published for git-annex. CVE-2017-12976[0]: | git-annex before 6.20170818 allows remote attackers to execute | arbitrary commands via an ssh URL with an initial dash character in the | hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related | issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and | CVE-2017-1000117. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12976 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12976 Please adjust the affected versions in the BTS as needed.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: git-annex Source-Version: 6.20170101-1+deb9u2 We believe that the bug you reported is fixed in the latest version of git-annex, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 873...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sean Whitton <spwhit...@spwhitton.name> (supplier of updated git-annex package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 22 Jun 2018 16:42:37 +0100 Source: git-annex Binary: git-annex Architecture: source Version: 6.20170101-1+deb9u2 Distribution: stretch Urgency: high Maintainer: Richard Hartmann <ric...@debian.org> Changed-By: Sean Whitton <spwhit...@spwhitton.name> Description: git-annex - manage files with git, without checking their contents into git Closes: 873088 Changes: git-annex (6.20170101-1+deb9u2) stretch; urgency=high . [ Joey Hess ] * CVE-2018-10857: - Added annex.security.allowed-url-schemes setting, which defaults to only allowing http, https, and ftp URLs. Note especially that file:/ is no longer enabled by default. - Removed annex.web-download-command, since its interface does not allow supporting annex.security.allowed-url-schemes across redirects. If you used this setting, you may want to instead use annex.web-options to pass options to curl. - git-annex will refuse to download content from the web, to prevent accidental exposure of data on private webservers on localhost and the LAN. This can be overridden with the annex.security.allowed-http-addresses setting. (The S3, glacier, and webdav special remotes are still allowed to download from the web.) * CVE-2018-10857 and CVE-2018-10859: - Refuse to download content, that cannot be verified with a hash, from encrypted special remotes (for CVE-2018-10859), and from all external special remotes (for CVE-2018-10857). In particular, URL and WORM keys stored on such remotes won't be downloaded. If this affects your files, you can run `git-annex migrate` on the affected files, to convert them to use a hash. - Added annex.security.allow-unverified-downloads, which can override the above. . git-annex (6.20170101-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL (Closes: #873088) Checksums-Sha1: 440c1251fbe20dbf443c6df5fe751ca44aab2887 5240 git-annex_6.20170101-1+deb9u2.dsc 2645dcd551cc00c03a293187953445c506d17cd4 88536 git-annex_6.20170101-1+deb9u2.debian.tar.xz Checksums-Sha256: d485b213f7596fae899917671b7a78a9e0535b22a7cac51748c4e5842556aca2 5240 git-annex_6.20170101-1+deb9u2.dsc b7e9d0160a782c1b2a97e559e88c21189281cd460fb41cc8217e7e76251877a1 88536 git-annex_6.20170101-1+deb9u2.debian.tar.xz Files: 75bec588ccb2a7d3d46ae77032467477 5240 utils optional git-annex_6.20170101-1+deb9u2.dsc 54bbb6bbb30144bd55aa37a886accb43 88536 utils optional git-annex_6.20170101-1+deb9u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAls+kLMACgkQaVt65L8G YkBjJRAAsfhrRk1ATOTvhv/6rufv7tM+TbTBsU8yBmdT+TEAz3vHs6KpIR8XNSXn VI2OOTRIXjHQm62cfNSPle4MHL6b6N1hSUWq9YJxoYm0gi/fay4CrLjvpDZIulve vaVvU3/m4s8p6YeiEekdd0JxWB+BdA0N4JaWLA5bkIEjBT/CAcMm5dJ1shNXPkph NpBbVyOVtNN224Z5wnXYyteFOnrunz1CaqXgkSzrdo0HppwNMjEK00xKgTcDcOHG ZIzwINmSjzO7PiQI0Lngu9MAuOrLxRQeyhFpc77XmMjDcZP8db2a1p2tkTPQEWXA A3ouHa715vj/bFtTsavcmJKagGuXjJOcIOIhK3okJCOoTdVEWfdyTV6pMDuLQqQv yK3CiIHawTQcpfsEzZSTRF1+LlOI4i3z9Qu6p50yuK2nCowVLNal0lVbtKfAIuhx W4I03iB3OQ5ifSlTC8XWKTeKPE4JBmA2tOmskl7naSPR1fD0E9qyn5n9Pe1Amwl+ ttPgu038opQj1t//e49vSmwvNCpdTvSNIfST3UZY7XevhH/2xFCWDDT21R9NtMnx +knn8T0PAU6uHCDcNwvg2ILL0WGk3dGjUyTbHEPybNX7ZqFkxS1tRxo5d6T+gNBF XHrxIslJkrRcjVKs6iPeFeNERljKrbmuOe4nb/uNu30zIMsph0E= =+jvY -----END PGP SIGNATURE-----
--- End Message ---
