CVE-2017-12976: A hostname starting with a dash would get passed to ssh and be treated as an option. This could be used by an attacker who provides a crafted repository url to cause the victim to execute arbitrary code via -oProxyCommand.

Fixed in git-annex 6.20170818

This is related to a git security hole, CVE-2017-1000117.