CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "2:1.12.13+real-12ubuntu0.1", "binary_name": "cvs" }, { "binary_version": "2:1.12.13+real-12ubuntu0.1", "binary_name": "cvs-dbgsym" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "2:1.12.13+real-15ubuntu0.1", "binary_name": "cvs" }, { "binary_version": "2:1.12.13+real-15ubuntu0.1", "binary_name": "cvs-dbgsym" } ] }