CVE-2017-12976

git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2014-6274

git-annex had a bug in the S3 and Glacier remotes where if embedcreds=yeswas set, and the remote used encryption=pubkey or encryption=hybrid,the embedded AWS credentials were stored in the git repositoryin (effectively) plaintext, not encrypted as they were supposed to be. This issue affects git-an...