CVE-2017-9800 (was: svn commit: r1804692 - /subversion/trunk/notes/ssh-tricks)
d.s at daniel.shahaf.name
Thu Aug 10 13:29:39 CDT 2017
Hi, please check the book's recommendations regarding $SVN_SSH and
tunnels and ensure it adds '--' there so readers on pre-1.9.7 versions
aren't given advice that's vulnerable to CVE-2017-9800.
danielsh at apache.org wrote on Thu, 10 Aug 2017 18:15 +0000:
> Author: danielsh
> Date: Thu Aug 10 18:15:12 2017
> New Revision: 1804692
> URL: http://svn.apache.org/viewvc?rev=1804692&view=rev
> Follow-up to r1804691:
> * notes/ssh-tricks: Update this documentation, too.
> This patch is separate because notes/ is not in tarballs.
> Modified: subversion/trunk/notes/ssh-tricks
> URL: http://svn.apache.org/viewvc/subversion/trunk/notes/ssh-tricks?rev=1804692&r1=1804691&r2=1804692&view=diff
> --- subversion/trunk/notes/ssh-tricks (original)
> +++ subversion/trunk/notes/ssh-tricks Thu Aug 10 18:15:12 2017
> @@ -15,7 +15,7 @@ not work with password authentication.
> the client's key-pair is used only for access to svnserve; if you want
> to retain general shell access to the host, create a second, dedicated
> key-pair for Subversion access and (assuming a Unix client) set the
> -environment variable SVN_SSH to "ssh -i /path/to/private/key/file".
> +environment variable SVN_SSH to "ssh -i /path/to/private/key/file --".
> The basic idea
More information about the svnbook-dev