CVE-2017-12976: A hostname starting with a dash would get passed to ssh and be treated as
an option. This could be used by an attacker who provides a crafted
repository url to cause the victim to execute arbitrary code via
-oProxyCommand
.
Fixed in git-annex 6.20170818
This is related to a git security hole, CVE-2017-1000117.