Debian Lenny DSA-2085-1 Moderate: Lftp Remote Code Execution
debian
August 3, 2010
It was discovered that in lftp, a command-line HTTP/FTP client, there is no proper validation of the filename provided by the server through the Content-Disposition header; attacke...
Summary
It was discovered that in lftp, a command-line HTTP/FTP client, there is
no proper validation of the filename provided by the server through the
Content-Disposition header; attackers can use this flaw by suggesting a
filename they wish to overwrite on the client machine, and then possibly
execute arbitrary code (for instance if the attacker elects to write a
dotfile in a home directory).
For the stable distribution (lenny), this problem has been fixed in
version 3.7.3-1+lenny1.
For the testing distribution (squeeze), this problem has been fixed in
version 4.0.6-1.
For the unstable distribution (sid), this problem has been fixed in
version 4.0.6-1.
We recommend that you upgrade your lftp packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
...
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: lftp
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!