CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "cvs": "2:1.12.13+real-12ubuntu0.1", "cvs-dbgsym": "2:1.12.13+real-12ubuntu0.1" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "cvs": "2:1.12.13+real-15ubuntu0.1", "cvs-dbgsym": "2:1.12.13+real-15ubuntu0.1" } ] }