Jump to content

Advisories MDVSA-2010:128: lftp


Recommended Posts

A vulnerability has been found and corrected in lftp:

 

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not

properly validate a server-provided filename before determining the

destination filename of a download, which allows remote servers to

create or overwrite arbitrary files via a Content-Disposition header

that suggests a crafted filename, and possibly execute arbitrary

code as a consequence of writing to a dotfile in a home directory

(CVE-2010-2251).

 

Packages for 2008.0 and 2009.0 are provided as of the Extended

Maintenance Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

 

Additionally on 2008.0 lftp has been upgraded to 3.7.4.

 

The updated packages have been patched to correct this issue.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...