Bazaar is vulnerable to Arbitrary Code Execution. An attacker is able to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname.
people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14176.html
www.ubuntu.com/usn/usn-3411-1
bugs.debian.org/874429
bugs.launchpad.net/bzr/+bug/1710979
bugzilla.redhat.com/show_bug.cgi?id=1486685
bugzilla.suse.com/show_bug.cgi?id=1058214
security-tracker.debian.org/tracker/CVE-2017-14176
www.debian.org/security/2017/dsa-4052