Neal Becker wrote:
CVE-2017-1000116:Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand.
For curious parties, git and subversion are also similarly vulnerable. I have git builds in progress for f25, f26, and rawhide now.
I also forwarded the git announcement to the Red Hat security team. They likely already know, but I don't see any tracker bugs in bugzilla yet (for git's CVE anyway, CVE-2017-1000117).
-- Todd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hard work never killed anybody, but why take a chance? -- Charlie McCarthy
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
