This bug was fixed in the package bzr - 2.7.0+bzr6619-7ubuntu0.1 --------------- bzr (2.7.0+bzr6619-7ubuntu0.1) zesty-security; urgency=medium
* SECURITY UPDATE: Possible arbitrary code execution on clients through malicious bzr+ssh URLs - debian/patches/24_ssh_hostnames-lp1710979: ensure that host arguments to ssh cannot be treated as ssh options. - LP: #1710979 -- Steve Beattie <sbeat...@ubuntu.com> Mon, 28 Aug 2017 21:54:13 -0700 ** Changed in: bzr (Ubuntu) Status: Confirmed => Fix Released ** Changed in: bzr (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1710979 Title: bzr+ssh URLs don't strip SSH options To manage notifications about this bug go to: https://bugs.launchpad.net/brz/+bug/1710979/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs