Your message dated Sun, 17 Jun 2018 18:02:34 +0000 with message-id <e1fuc0y-0004gt...@fasolo.debian.org> and subject line Bug#873088: fixed in git-annex 5.20141125+deb8u1 has caused the Debian Bug report #873088, regarding git-annex: remote code execution via crafted SSH URLs (CVE-2017-12976) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 873088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873088 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: git-annex X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: security Hi, the following vulnerability was published for git-annex. CVE-2017-12976[0]: | git-annex before 6.20170818 allows remote attackers to execute | arbitrary commands via an ssh URL with an initial dash character in the | hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related | issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and | CVE-2017-1000117. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12976 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12976 Please adjust the affected versions in the BTS as needed.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: git-annex Source-Version: 5.20141125+deb8u1 We believe that the bug you reported is fixed in the latest version of git-annex, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 873...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antoine Beaupré <anar...@debian.org> (supplier of updated git-annex package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 26 Oct 2017 10:23:02 -0400 Source: git-annex Binary: git-annex Architecture: source amd64 Version: 5.20141125+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Joey Hess <jo...@debian.org> Changed-By: Antoine Beaupré <anar...@debian.org> Description: git-annex - manage files with git, without checking their contents into git Closes: 873088 Changes: git-annex (5.20141125+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL (Closes: #873088) Checksums-Sha1: e356d92b89a2ba92febd63e4c7a540053d758038 3537 git-annex_5.20141125+deb8u1.dsc 284103ddbcd1c4f59eae75bd3b69c870902933e0 5963447 git-annex_5.20141125+deb8u1.tar.gz def4e6449ad089588e317b1d124178578abb0aa3 8491992 git-annex_5.20141125+deb8u1_amd64.deb Checksums-Sha256: aad22c44af16e06d41262e93984b293f168588f82adb45b904f2d7e44cd83c3c 3537 git-annex_5.20141125+deb8u1.dsc c92c91c9e20786dcf6c1bbf4b35125e8f0f58dd434a9183401192a35a63a79de 5963447 git-annex_5.20141125+deb8u1.tar.gz 522937ba9411466a2c00e00376bb48267ac0657f27902b5c4c8cb688ad71e63e 8491992 git-annex_5.20141125+deb8u1_amd64.deb Files: 39eced6036fd444e6ebc20ff48f4a472 3537 utils optional git-annex_5.20141125+deb8u1.dsc 284591204775190567f9a1c361b9fd25 5963447 utils optional git-annex_5.20141125+deb8u1.tar.gz 8ae7e45d0bbda1eb88d6086106b0a094 8491992 utils optional git-annex_5.20141125+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlnyLV0ACgkQPqHd3bJh 2XvYBQf/clZXO78fQCgpLWU0rq5SrIS/ogxWaZLBSRvVSavUB9FWt58+lw3OgnCL PKNIEr03ZpR7aCGYylJscJz30lMXrTv0AjH2QtMmUoWIMXNfignV88VMYhSpeC+v HNp7fP5LSOxJ5/QHGqyyZIEfKJ8L7/4od5aYU9n4cY6hfSGFWdd//g1N5PVVRaHq TiIZBRzaoFA+a6m1XYbVHsfXnctKCVuhabcULUNQy93IMSdafod73+UPaTmYJt/D ID6Ge1XcfssoBahJnn71TqqfCIt539VGMT9ZESvXYMKt5IgG/ULW5aa22mUKOWXb wdtTZJKICcjFJXe5Is3qV0QUmT/FKA== =Sfe2 -----END PGP SIGNATURE-----
--- End Message ---
