CVE-2017-12976: A hostname starting with a dash would get passed to ssh and be treated as an option. This could be used by an attacker who provides a crafted repository url to cause the victim to execute arbitrary code via -oProxyCommand.

Fixed in git-annex 6.20170818

This is related to a git security hole, CVE-2017-1000117.

[[!meta Error: Can't locate Date/Parse.pm in @INC (you may need to install the Date::Parse module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.36.0 /usr/local/share/perl/5.36.0 /usr/lib/x86_64-linux-gnu/perl5/5.36 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.36 /usr/share/perl/5.36 /usr/local/lib/site_perl) at (eval 20898) line 1. BEGIN failed--compilation aborted at (eval 20898) line 1. ]]