Bug#873088: marked as done (git-annex: remote code execution via crafted SSH URLs (CVE-2017-12976))
Your message dated Fri, 06 Jul 2018 13:32:09 + with message-id and subject line Bug#873088: fixed in git-annex 6.20170101-1+deb9u2 has caused the Debian Bug report #873088, regarding git-annex: remote code execution via crafted SSH URLs (CVE-2017-12976) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 873088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873088 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: git-annex X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: security Hi, the following vulnerability was published for git-annex. CVE-2017-12976[0]: | git-annex before 6.20170818 allows remote attackers to execute | arbitrary commands via an ssh URL with an initial dash character in the | hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related | issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and | CVE-2017-1000117. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12976 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12976 Please adjust the affected versions in the BTS as needed. signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Source: git-annex Source-Version: 6.20170101-1+deb9u2 We believe that the bug you reported is fixed in the latest version of git-annex, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 873...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sean Whitton (supplier of updated git-annex package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 22 Jun 2018 16:42:37 +0100 Source: git-annex Binary: git-annex Architecture: source Version: 6.20170101-1+deb9u2 Distribution: stretch Urgency: high Maintainer: Richard Hartmann Changed-By: Sean Whitton Description: git-annex - manage files with git, without checking their contents into git Closes: 873088 Changes: git-annex (6.20170101-1+deb9u2) stretch; urgency=high . [ Joey Hess ] * CVE-2018-10857: - Added annex.security.allowed-url-schemes setting, which defaults to only allowing http, https, and ftp URLs. Note especially that file:/ is no longer enabled by default. - Removed annex.web-download-command, since its interface does not allow supporting annex.security.allowed-url-schemes across redirects. If you used this setting, you may want to instead use annex.web-options to pass options to curl. - git-annex will refuse to download content from the web, to prevent accidental exposure of data on private webservers on localhost and the LAN. This can be overridden with the annex.security.allowed-http-addresses setting. (The S3, glacier, and webdav special remotes are still allowed to download from the web.) * CVE-2018-10857 and CVE-2018-10859: - Refuse to download content, that cannot be verified with a hash, from encrypted special remotes (for CVE-2018-10859), and from all external special remotes (for CVE-2018-10857). In particular, URL and WORM keys stored on such remotes won't be downloaded. If this affects your files, you can run `git-annex migrate` on the affected files, to convert them to use a hash. - Added annex.security.allow-unverified-downloads, which can override the above. . git-annex (6.20170101-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL (Closes: #873088) Checksums-Sha1: 440c1251fbe20dbf443c6df5fe751ca44aab2887 5240 git-annex_6.20170101-1+deb9u2.dsc 2645dcd551cc00c03a293187953445c506d17cd4 88536 git-annex_6.20170101-1+deb9u2.debian.tar.xz Checksums-Sha256:
Bug#873088: marked as done (git-annex: remote code execution via crafted SSH URLs (CVE-2017-12976))
Your message dated Sun, 17 Jun 2018 18:02:34 + with message-id and subject line Bug#873088: fixed in git-annex 5.20141125+deb8u1 has caused the Debian Bug report #873088, regarding git-annex: remote code execution via crafted SSH URLs (CVE-2017-12976) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 873088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873088 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: git-annex X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: security Hi, the following vulnerability was published for git-annex. CVE-2017-12976[0]: | git-annex before 6.20170818 allows remote attackers to execute | arbitrary commands via an ssh URL with an initial dash character in the | hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related | issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and | CVE-2017-1000117. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12976 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12976 Please adjust the affected versions in the BTS as needed. signature.asc Description: PGP signature --- End Message --- --- Begin Message --- Source: git-annex Source-Version: 5.20141125+deb8u1 We believe that the bug you reported is fixed in the latest version of git-annex, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 873...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antoine Beaupré (supplier of updated git-annex package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 26 Oct 2017 10:23:02 -0400 Source: git-annex Binary: git-annex Architecture: source amd64 Version: 5.20141125+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Joey Hess Changed-By: Antoine Beaupré Description: git-annex - manage files with git, without checking their contents into git Closes: 873088 Changes: git-annex (5.20141125+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL (Closes: #873088) Checksums-Sha1: e356d92b89a2ba92febd63e4c7a540053d758038 3537 git-annex_5.20141125+deb8u1.dsc 284103ddbcd1c4f59eae75bd3b69c870902933e0 5963447 git-annex_5.20141125+deb8u1.tar.gz def4e6449ad089588e317b1d124178578abb0aa3 8491992 git-annex_5.20141125+deb8u1_amd64.deb Checksums-Sha256: aad22c44af16e06d41262e93984b293f168588f82adb45b904f2d7e44cd83c3c 3537 git-annex_5.20141125+deb8u1.dsc c92c91c9e20786dcf6c1bbf4b35125e8f0f58dd434a9183401192a35a63a79de 5963447 git-annex_5.20141125+deb8u1.tar.gz 522937ba9411466a2c00e00376bb48267ac0657f27902b5c4c8cb688ad71e63e 8491992 git-annex_5.20141125+deb8u1_amd64.deb Files: 39eced6036fd444e6ebc20ff48f4a472 3537 utils optional git-annex_5.20141125+deb8u1.dsc 284591204775190567f9a1c361b9fd25 5963447 utils optional git-annex_5.20141125+deb8u1.tar.gz 8ae7e45d0bbda1eb88d6086106b0a094 8491992 utils optional git-annex_5.20141125+deb8u1_amd64.deb -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlnyLV0ACgkQPqHd3bJh 2XvYBQf/clZXO78fQCgpLWU0rq5SrIS/ogxWaZLBSRvVSavUB9FWt58+lw3OgnCL PKNIEr03ZpR7aCGYylJscJz30lMXrTv0AjH2QtMmUoWIMXNfignV88VMYhSpeC+v HNp7fP5LSOxJ5/QHGqyyZIEfKJ8L7/4od5aYU9n4cY6hfSGFWdd//g1N5PVVRaHq TiIZBRzaoFA+a6m1XYbVHsfXnctKCVuhabcULUNQy93IMSdafod73+UPaTmYJt/D ID6Ge1XcfssoBahJnn71TqqfCIt539VGMT9ZESvXYMKt5IgG/ULW5aa22mUKOWXb wdtTZJKICcjFJXe5Is3qV0QUmT/FKA== =Sfe2 -END PGP SIGNATURE End Message --- ___ Pkg-haskell-maintainers mailing list Pkg-haskell-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-haskell-maintainers