Oh cool my hobbyist operating system #Sortix is vulnerable to CVE-2017-9800pic.twitter.com/AaQbXNvAYs
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Have you found yet what hostname starting with - is actually supposed to let you achieve code exec?
I believe it's more that repositories out of the clients control can contain subrepos or submodules, which have specially crafted urls.
Right. But how do you convert control of one element of ssh's argv[] to code execution?
The mercurial announcement contains a good explanation, certain client options execute commands: https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html …
So -oProxyCommand=./evil.sh?
Or even.. -oProxyCommand=chrome :-)
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.