This is an old revision of the document!
Slackware-13.37 ChangeLog (2017-08-11)
Fri Aug 11 23:02:43 UTC 2017
Packages
Upgraded
- patches/packages/git-2.14.1-i486-1_slack13.37.txz
Fixes security issues:
A “ssh:…” URL can result in a “ssh” command line with a hostname that
begins with a dash “-”, which would cause the “ssh” command to instead
(mis)treat it as an option. This is now prevented by forbidding such a
hostname (which should not impact any real-world usage).
Similarly, when GIT_PROXY_COMMAND is configured, the command is run with
host and port that are parsed out from “ssh:…” URL; a poorly written
GIT_PROXY_COMMAND could be tricked into treating a string that begins with a
dash “-” as an option. This is now prevented by forbidding such a hostname
and port number (again, which should not impact any real-world usage).
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117
(* Security fix *)