CVE-2017-9800 (was: svn commit: r1804692 - /subversion/trunk/notes/ssh-tricks)

Daniel Shahaf d.s at daniel.shahaf.name
Thu Aug 10 13:29:39 CDT 2017


Hi, please check the book's recommendations regarding $SVN_SSH and
tunnels and ensure it adds '--' there so readers on pre-1.9.7 versions
aren't given advice that's vulnerable to CVE-2017-9800.

Daniel

danielsh at apache.org wrote on Thu, 10 Aug 2017 18:15 +0000:
> Author: danielsh
> Date: Thu Aug 10 18:15:12 2017
> New Revision: 1804692
> 
> URL: http://svn.apache.org/viewvc?rev=1804692&view=rev
> Log:
> Follow-up to r1804691:
> 
> * notes/ssh-tricks: Update this documentation, too.
> 
> This patch is separate because notes/ is not in tarballs.
> 
> Modified:
>     subversion/trunk/notes/ssh-tricks
> 
> Modified: subversion/trunk/notes/ssh-tricks
> URL: http://svn.apache.org/viewvc/subversion/trunk/notes/ssh-tricks?rev=1804692&r1=1804691&r2=1804692&view=diff
> ==============================================================================
> --- subversion/trunk/notes/ssh-tricks (original)
> +++ subversion/trunk/notes/ssh-tricks Thu Aug 10 18:15:12 2017
> @@ -15,7 +15,7 @@ not work with password authentication.
>  the client's key-pair is used only for access to svnserve; if you want
>  to retain general shell access to the host, create a second, dedicated
>  key-pair for Subversion access and (assuming a Unix client) set the
> -environment variable SVN_SSH to "ssh -i /path/to/private/key/file".
> +environment variable SVN_SSH to "ssh -i /path/to/private/key/file --".
>  
>  The basic idea
>  --------------
> 
> 



More information about the svnbook-dev mailing list