diff options
| author | Wenzong Fan <wenzong.fan@windriver.com> | 2017-09-07 02:49:06 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-09-11 17:30:13 +0100 |
| commit | 6e1f8001a0f3c26cce9c692d25987a3c47ff2f74 (patch) | |
| tree | 3e204fb030fc5715fd52ef275d38b4fe10e759db /scripts/lib/devtool/sdk.py | |
| parent | 34cde8e965acca2706d3e3d8b5b3e9f4c3e010c3 (diff) | |
| download | openembedded-core-6e1f8001a0f3c26cce9c692d25987a3c47ff2f74.tar.gz openembedded-core-6e1f8001a0f3c26cce9c692d25987a3c47ff2f74.tar.bz2 openembedded-core-6e1f8001a0f3c26cce9c692d25987a3c47ff2f74.zip | |
subversion: fix CVE-2017-9800
A maliciously constructed svn+ssh:// URL would cause Subversion clients
before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3
to run an arbitrary shell command. Such a URL could be generated by a
malicious server, by a malicious user committing to a honest server(to
attack another user of that server's repositories), or by a proxy
server.
The vulnerability affects all clients, including those that use
file://, http://, and plain (untunneled) svn://.
Backport patch from:
http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691
Reference:
http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'scripts/lib/devtool/sdk.py')
0 files changed, 0 insertions, 0 deletions