在「[ANNOUNCE] Git v2.14.1, v2.13.5, and others」這邊看到
These contain a security fix for CVE-2017-1000117, and are released in coordination with Subversion and Mercurial that share a similar issue. CVE-2017-9800 and CVE-2017-1000116 are assigned to these systems, respectively, for issues similar to it that are now addressed in their part of this coordinated release.
這算是老問題了，Git 對應的修正主要是朝 filter input 的方向修正，包括了禁用
- 開頭的 hostname，以及禁止
- 的 repository name：
- A "ssh://..." URL can result in a "ssh" command line with a hostname that begins with a dash "-", which would cause the "ssh" command to instead (mis)treat it as an option. This is now prevented by forbidding such a hostname (which should not impact any real-world usage).
- Similarly, when GIT_PROXY_COMMAND is configured, the command is run with host and port that are parsed out from "ssh://..." URL; a poorly written GIT_PROXY_COMMAND could be tricked into treating a string that begins with a dash "-" as an option. This is now prevented by forbidding such a hostname and port number (again, which should not impact any real-world usage).
- In the same spirit, a repository name that begins with a dash "-" is also forbidden now.
然後中華電信的 DNS server (18.104.22.168 & 22.214.171.124) 都查不到
marc.info，改用 Google 的 126.96.36.199 才查得到... =_=