Ubuntu 984-1: LFTP vulnerability

    Date07 Sep 2010
    CategoryUbuntu
    89
    Posted ByLinuxSecurity Advisories
    It was discovered that LFTP incorrectly filtered filenames suggested by Content-Disposition headers. If a user or automated system were tricked into downloading a file from a malicious site, a remote attacker could create the file with an arbitrary name, such as a dotfile, and possibly run arbitrary code. [More...]
    ===========================================================
    Ubuntu Security Notice USN-984-1         September 07, 2010
    lftp vulnerability
    CVE-2010-2251
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 8.04 LTS
    Ubuntu 9.04
    Ubuntu 9.10
    Ubuntu 10.04 LTS
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 8.04 LTS:
      lftp                            3.6.1-1ubuntu0.1
    
    Ubuntu 9.04:
      lftp                            3.7.8-1ubuntu0.1
    
    Ubuntu 9.10:
      lftp                            3.7.15-1ubuntu2.1
    
    Ubuntu 10.04 LTS:
      lftp                            4.0.2-1ubuntu0.1
    
    In general, a standard system update will make all the necessary changes.
    
    ATTENTION: This update changes previous behaviour by ignoring the filename
    supplied by servers in Content-Disposition headers. To re-enable previous
    behaviour, use the new xfer:auto-rename setting.
    
    Details follow:
    
    It was discovered that LFTP incorrectly filtered filenames suggested
    by Content-Disposition headers. If a user or automated system were tricked
    into downloading a file from a malicious site, a remote attacker could
    create the file with an arbitrary name, such as a dotfile, and possibly run
    arbitrary code.
    
    
    Updated packages for Ubuntu 8.04 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1.diff.gz
          Size/MD5:    13383 dfc4f52d9d2a2a0798d6b3fe9e53e9ca
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1.dsc
          Size/MD5:      735 c437fe420a9ea04dae271f3bc5156f48
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.6.1.orig.tar.gz
          Size/MD5:  1806782 cb074387f2516efe6abe5664af5504f9
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1_amd64.deb
          Size/MD5:   433588 bf2ccb726c6f658caa3c5c6aa029257b
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1_i386.deb
          Size/MD5:   398738 d1ec62b4b33785c745e7d10ca30f90cb
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1_lpia.deb
          Size/MD5:   405662 a71e74893407cba0d9ef96c402ac60e3
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1_powerpc.deb
          Size/MD5:   428536 522aa38b50d4e5b01e92680a14dcb9d7
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1_sparc.deb
          Size/MD5:   392686 0004e5ca7e3fcaab3b1b10f431655670
    
    Updated packages for Ubuntu 9.04:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1.diff.gz
          Size/MD5:    14075 b04d88a4d5afefd2cf2cc018da908082
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1.dsc
          Size/MD5:     1151 4b8c86550b9d42c9d9b2677868e9e462
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.8.orig.tar.gz
          Size/MD5:  1920121 014a4ac6b9ea4016d5cd64afe0397b89
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1_amd64.deb
          Size/MD5:   470430 46a72bd567b2ee6c9dce31f1583daf4a
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1_i386.deb
          Size/MD5:   401102 1e0b78a5b2659c8e81cde7d6fed715ef
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1_lpia.deb
          Size/MD5:   404420 c6e1cec2e0fce91b5c7b3bd696b6a7ac
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1_powerpc.deb
          Size/MD5:   425506 02497ad03d03a35204e820f94b951624
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1_sparc.deb
          Size/MD5:   393988 90876d9d92e53ad028be5feedce5772e
    
    Updated packages for Ubuntu 9.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.15-1ubuntu2.1.diff.gz
          Size/MD5:    15248 10d56523f7ca48b4f7ca7b12b54acdc0
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.15-1ubuntu2.1.dsc
          Size/MD5:     1188 24cc77bbaaaf15083280ee374b74e952
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.15.orig.tar.gz
          Size/MD5:  2058252 6c43ffdb59234ff0533cfdda0c3c305c
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.15-1ubuntu2.1_amd64.deb
          Size/MD5:   475460 a7ec4eec5d4c1b7ef1a2219859f30176
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.15-1ubuntu2.1_i386.deb
          Size/MD5:   402688 54fa38a65903bd2c349d34632181a897
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.7.15-1ubuntu2.1_lpia.deb
          Size/MD5:   409754 e1a502620c2f43098094c57d76701f0b
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.7.15-1ubuntu2.1_powerpc.deb
          Size/MD5:   428098 085709c6757b7eab7b4a50e0a7042e3a
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.7.15-1ubuntu2.1_sparc.deb
          Size/MD5:   399942 aca438001e1fd5e67aa4b24cb0e73339
    
    Updated packages for Ubuntu 10.04:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_4.0.2-1ubuntu0.1.diff.gz
          Size/MD5:    14333 b8eaaa8956251f2aef43d311e938d64f
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_4.0.2-1ubuntu0.1.dsc
          Size/MD5:     1162 a5f76a996c9e576d10bf7feeaf409950
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_4.0.2.orig.tar.gz
          Size/MD5:  2156591 664fd567bb49e1e4dea1ba37430a8449
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_4.0.2-1ubuntu0.1_amd64.deb
          Size/MD5:   511634 d594a860b7d9d9be923b6e6fa9216ba0
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_4.0.2-1ubuntu0.1_i386.deb
          Size/MD5:   432956 75e0e9565d5f891979ea8247628f2a92
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/l/lftp/lftp_4.0.2-1ubuntu0.1_powerpc.deb
          Size/MD5:   460922 b64331d0f6056ab5803bf71a752f8a55
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/l/lftp/lftp_4.0.2-1ubuntu0.1_sparc.deb
          Size/MD5:   439560 16849aeada278a342944dd87df4baed6
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    Advisories

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.