git2 Rust package suppresses ssh host key checking

By default, when accessing an ssh repository ie via an ssh: git repository url the git2 Rust package does not do any host key checking. Additionally, the provided API is not sufficient for a an application to do meaningful checking itself. Impact When connecting to an ssh repository, and when an...

CVE-2017-12836

CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."...