openSUSE-SU-2017:3271-1

Опубликовано: 12 дек. 2017

Источник: suse-cvrf

Описание

Security update for fossil

This update for fossil to version 2.4 fixes the following issues:

CVE-2017-17459: Client-side code execution via crafted 'ssh://' URLs (bsc#1071709)

The impact of this vulnerability is more limited than similar vectors fixed in other SCMs, as there is no known way to mask the repository URL or otherwise trigger non-interactively.

This update also contains all bug fixes and improvements in the 2.4 release:

URL Aliases
tech-note search capability
Various added command line options
Annation depth is now configurable

The following legacy options are no longer available:

--no-dir-symlinks option
legacy configuration sync protocol

Список пакетов

openSUSE Leap 42.2

fossil-2.4-6.1

openSUSE Leap 42.3

fossil-2.4-6.1

Ссылки

https://lists.opensuse.org/opensuse-updates/2017-12/msg00046.html
E-Mail link for openSUSE-SU-2017:3271-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings

Описание

http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.

Затронутые продукты

openSUSE Leap 42.2:fossil-2.4-6.1

openSUSE Leap 42.3:fossil-2.4-6.1

Ссылки

https://www.suse.com/security/cve/CVE-2017-17459.html
CVE-2017-17459
https://bugzilla.suse.com/1071709
SUSE Bug 1071709

openSUSE-SU-2017:3271-1

Описание

Список пакетов

openSUSE Leap 42.2

openSUSE Leap 42.3

Ссылки

Уязвимость: CVE-2017-17459

Описание

Затронутые продукты

Ссылки