[Pkg-bazaar-maint] Bug#874429: bzr: bzr+ssh URLs don't strip SSH options

Salvatore Bonaccorso carnil at debian.org
Wed Sep 6 04:37:15 UTC 2017

Source: bzr
Version: 2.6.0+bzr6595-6
Severity: grave
Tags: upstream security
Justification: user security hole
Control: fixed -1 2.7.0+bzr6622-7


This is handled already in unstable with 2.7.0+bzr6622-7, this bug is
to track the issue until the CVE is assigned and properly identified
via a CVE. A CVE was apparently requested, reading LP #1710979.

bzr (2.7.0+bzr6622-7) unstable; urgency=high

  * Add patch 27_fix_sec_ssh: Strip out hostnames starting with dash in
    bzr+ssh URLs, as they might allow an attacker to provide SSH command-
    line flags. LP: #1710979



More information about the Pkg-bazaar-maint mailing list