Joined: 12 May 2004
|Posted: Sat Jan 27, 2018 5:26 pm Post subject: [ GLSA 201801-20 ] Fossil
|Gentoo Linux Security Advisory
Title: Fossil: User-assisted execution of arbitrary code (GLSA 201801-20)
A vulnerability has been discovered in Fossil allowing for
user-assisted remote execution of arbitrary code.
Fossil is a simple, high-reliability, distributed software configuration
Vulnerable: < 2.4
Unaffected: >= 2.4
Architectures: All supported architectures
Fossil does not properly validate SSH sync protocol URLs.
A remote attacker, by enticing a user to open a specially crafted URL,
could possibly execute arbitrary commands with the privileges of the user
running the application.
There is no known workaround at this time.
All Fossil users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/fossil-2.4"