Neal Becker wrote:

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand.

For curious parties, git and subversion are also similarly vulnerable. I have git builds in progress for f25, f26, and rawhide now.

I also forwarded the git announcement to the Red Hat security team. They likely already know, but I don't see any tracker bugs in bugzilla yet (for git's CVE anyway, CVE-2017-1000117).

Hard work never killed anybody, but why take a chance?
   -- Charlie McCarthy

Attachment: signature.asc
Description: PGP signature

devel mailing list --
To unsubscribe send an email to

Reply via email to