Ubuntu Security Notice 3411-1 - Adam Collard discovered that Bazaar did not properly handle host names in 'bzr+ssh://' URLs. A remote attacker could use this to construct a bazaar repository URL that when accessed could run arbitrary code with the privileges of the user.
1cd6ecc4d0c2f2a2272daab0fc85768c17ed8a7f56b2b81b5bb39734a54dbc27