diff options
author | Wenzong Fan <wenzong.fan@windriver.com> | 2017-09-07 02:49:06 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-09-11 17:30:30 +0100 |
commit | 3f5906e086d904f48e1790c59cf01c0c94b31b64 (patch) | |
tree | 7492f28d8b921c4b2b7424ffe6b4bbdd299875d2 /oe-init-build-env | |
parent | f2a8f94430c8d101cd4344d7099b3ada021d4af6 (diff) | |
download | poky-3f5906e086d904f48e1790c59cf01c0c94b31b64.tar.gz |
subversion: fix CVE-2017-9800
A maliciously constructed svn+ssh:// URL would cause Subversion clients
before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3
to run an arbitrary shell command. Such a URL could be generated by a
malicious server, by a malicious user committing to a honest server(to
attack another user of that server's repositories), or by a proxy
server.
The vulnerability affects all clients, including those that use
file://, http://, and plain (untunneled) svn://.
Backport patch from:
http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691
Reference:
http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
(From OE-Core rev: 6e1f8001a0f3c26cce9c692d25987a3c47ff2f74)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'oe-init-build-env')
0 files changed, 0 insertions, 0 deletions