Source: bzr Version: 2.6.0+bzr6595-6 Severity: grave Tags: upstream security Justification: user security hole Control: fixed -1 2.7.0+bzr6622-7
Hi This is handled already in unstable with 2.7.0+bzr6622-7, this bug is to track the issue until the CVE is assigned and properly identified via a CVE. A CVE was apparently requested, reading LP #1710979. bzr (2.7.0+bzr6622-7) unstable; urgency=high * Add patch 27_fix_sec_ssh: Strip out hostnames starting with dash in bzr+ssh URLs, as they might allow an attacker to provide SSH command- line flags. LP: #1710979 https://bugs.launchpad.net/bzr/+bug/1710979 Regards, Salvatore _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team