SciLinux: CVE-2010-2251 Moderate: lftp SL 5
Summary
input. It has bookmarks, built-in mirroring, and can transfer several filesin parallel. It is designed with reliability in mind.It was discovered that lftp trusted the file name provided in theflaw to write or overwrite files in the current working directory of avictim running lftp, by sending a different file from what the victimrequested. (CVE-2010-2251)To correct this flaw, the following changes were made to lftp: the"xfer:clobber" option now defaults to "no", causing lftp to not overwriteexisting files, and a new option, "xfer:auto-rename", which defaults to"no", has been introduced to control whether lftp should useserver-suggested file names. Refer to the "Settings" section of the lftp(1)manual page for additional details on changing lftp settings.All lftp users should upgrade to this updated package, which contains abackported patch to correct this issue.Source:lftp-3.7.11-4.el5_5.3.src.rpmi386:lftp-3.7.11-4.el5_5.3.i386.rpmx86_64:lftp-3.7.11-4.el5_5.3.x86_64.rpm-Connie Sieh-Troy Dawson