Описание
Security update for cvs
This update for cvs fixes the following issues:
- CVE-2017-12836: A leading dash in the argument of the '-d' option could lead to argument injection (bsc#1053364)
Список пакетов
SUSE Linux Enterprise Desktop 12 SP2
cvs-1.12.12-182.3.1
SUSE Linux Enterprise Desktop 12 SP3
cvs-1.12.12-182.3.1
SUSE Linux Enterprise Server 12 SP2
cvs-1.12.12-182.3.1
cvs-doc-1.12.12-182.3.1
SUSE Linux Enterprise Server 12 SP3
cvs-1.12.12-182.3.1
cvs-doc-1.12.12-182.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
cvs-1.12.12-182.3.1
cvs-doc-1.12.12-182.3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
cvs-1.12.12-182.3.1
cvs-doc-1.12.12-182.3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP3
cvs-1.12.12-182.3.1
cvs-doc-1.12.12-182.3.1
Ссылки
- Link for SUSE-SU-2017:2419-1
- E-Mail link for SUSE-SU-2017:2419-1
- SUSE Security Ratings
- SUSE Bug 1053364
- SUSE CVE CVE-2017-12836 page
Описание
CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP2:cvs-1.12.12-182.3.1
SUSE Linux Enterprise Desktop 12 SP3:cvs-1.12.12-182.3.1
SUSE Linux Enterprise Server 12 SP2:cvs-1.12.12-182.3.1
SUSE Linux Enterprise Server 12 SP2:cvs-doc-1.12.12-182.3.1
Ссылки
- CVE-2017-12836
- SUSE Bug 1052481
- SUSE Bug 1052696
- SUSE Bug 1052932
- SUSE Bug 1053364
- SUSE Bug 1054653
- SUSE Bug 1059797
- SUSE Bug 1066430
- SUSE Bug 1071709