Dulwich, when an SSH subprocess is used, allowed remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname (CVE-2017-16228).
{ "section": "core" }