Upstream information

CVE-2017-12976 at MITRE

Description

git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 6.8
Vector AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entries: 1052481 [RESOLVED], 1052696 [RESOLVED / FIXED], 1052932 [RESOLVED], 1053364 [RESOLVED / FIXED], 1053919 [RESOLVED / FIXED], 1054653 [RESOLVED], 1066430 [IN_PROGRESS], 1071709 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Leap 42.2
  • git-annex >= 6.20170818-2.6.1
  • git-annex-bash-completion >= 6.20170818-2.6.1
Patchnames:
openSUSE-2017-986
openSUSE Leap 42.3
  • git-annex >= 6.20170818-3.1
  • git-annex-bash-completion >= 6.20170818-3.1
Patchnames:
openSUSE-2017-986