Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 12 articles for you...
89
security advisoryfedorabuffer overflowFedora LFTP Update: 2023-057 Critical Buffer Overflow Risk
An attacker could create a carefully crafted directory on a websitesuch that, if a user connects to that directory using the lftp clientand subsequently issues a 'ls' or 'rels' command, the attacker couldexecute arbitrary code on the users machine. . ---------------------------------------------------------------------Fedora Update Notification FEDORA-2003-025 2003-12-12 ---------------------------------------------------------------------Name : lftp Version : 2.6.10 Release : 1 Summary : A sophisticated file transfer program Description : LFTP is a sophisticated ftp/http file transfer program. Like bash, it has job control and uses the readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind. ---------------------------------------------------------------------Update Information: Ulf Härnhammar found a remotely-triggerable buffer overflow in lftp. An attacker could create a carefully crafted directory on a website such that, if a user connects to that directory using the lftp client and subsequently issues a 'ls' or 'rels' command, the attacker could execute arbitrary code on the users machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0963 to this issue. Users of lftp are advised to upgrade to these erratum packages, which upgrade lftp to a version which is not vulnerable to this issue. Red Hat would like to thank Ulf Härnhammar for discovering and alerting us to this issue. ---------------------------------------------------------------------* Fri Dec 12 2003 Nalin Dahyabhai 2.6.10-1 - update to 2.6.10, which folds in the previous patches - configure with --with-debug so that we get useful debug info * Tue Dec 09 2003 Nalin Dahyabhai 2.6.9-1 - include patch based on patch from Ulf Härnhammar to fix unsafe use of sscanf when reading httpdirectory listings (CAN-2003-0963) - include patch based on patch from Ulf Härnhammar to fix compile warnings modified based on input from Solar Designer * Mon Dec 08 2003 Nalin Dahyabhai - update to 2.6.9 ---------------------------------------------------------------------This update can be downloaded from: b36e31c19e088ee086afc9c42dacd471 SRPMS/lftp-2.6.10-1.src.rpm 1a6ab3a0b3df685cc1354bf4740a7201 i386/lftp-2.6.10-1.i386.rpm 7c70562d0c91db1b15d21d0f56f32ea0 i386/debug/lftp-debuginfo-2.6.10-1.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. --------------------------------------------------------------------- . LFTP on Fedora has been found to have a critical security flaw; users should take immediate steps to update their software to prevent possible remote code execution attacks.. lftp buffer overflow,fedora update,remote code execution. . Severity: Critical. LinuxSecurity.com Team
Jun 08, 2023
•Critical
Fedora
200
security advisoryremote accesslftpScientific Linux SL7: SLSA-2020-1045-1 Moderate Level lftp Threat
lftp: particular remote file names may lead to current working directory erased SL7 x86_64 lftp-4.4.8-12.el7.x86_64.rpm lftp-4.4.8-12.el7.i686.rpm lftp-debuginfo-4.4.8-12.el7.i686.rpm lftp-debuginfo-4.4.8-12.el7.x86_64.rpm noarch lftp-scripts-4.4.8-12.el7.noarch.rpm - Scientific Linux Development Team. Synopsis: Moderate: lftp security update Advisory ID: SLSA-2020:1045-1 Issue Date: 2020-04-07 CVE Numbers: CVE-2018-10916 -- * lftp: particular remote file names may lead to current working directory erased -- SL7 x86_64 lftp-4.4.8-12.el7.x86_64.rpm lftp-4.4.8-12.el7.i686.rpm lftp-debuginfo-4.4.8-12.el7.i686.rpm lftp-debuginfo-4.4.8-12.el7.x86_64.rpm noarch lftp-scripts-4.4.8-12.el7.noarch.rpm - Scientific Linux Development Team . Timely security patch for lftp on SL7.x systems that resolves possible directory deletion vulnerabilities through external files.. lftp security update, Scientific Linux, SL7.x advisory, remote file access, lftp data loss. . LinuxSecurity.com Team
Apr 20, 2020
Scientific Linux
98
security advisorymoderatesecurity issueRed Hat Enterprise Linux 7: RHSA-2020-1045-01 Moderate: LFTP Update
An update for lftp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: lftp security update Advisory ID: RHSA-2020:1045-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:1045 Issue date: 2020-03-31 CVE Names: CVE-2018-10916 ==================================================================== 1. Summary: An update for lftp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch 3. Description: LFTP is a file transfer utility for File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), Hypertext Transfer Protocol (HTTP), and other commonly used protocols. It uses the readline library for input, and provides support for bookmarks, built-in monitoring, job control, and parallel transfer of multiple files at the same time. Security Fix(es): * lftp: particularremote file names may lead to current working directory erased (CVE-2018-10916) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1610349 - CVE-2018-10916 lftp: particular remote file names may lead to current working directory erased 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: lftp-4.4.8-12.el7.src.rpm x86_64: lftp-4.4.8-12.el7.i686.rpm lftp-4.4.8-12.el7.x86_64.rpm lftp-debuginfo-4.4.8-12.el7.i686.rpm lftp-debuginfo-4.4.8-12.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: lftp-scripts-4.4.8-12.el7.noarch.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: lftp-4.4.8-12.el7.src.rpm x86_64: lftp-4.4.8-12.el7.i686.rpm lftp-4.4.8-12.el7.x86_64.rpm lftp-debuginfo-4.4.8-12.el7.i686.rpm lftp-debuginfo-4.4.8-12.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: lftp-scripts-4.4.8-12.el7.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: lftp-4.4.8-12.el7.src.rpm ppc64: lftp-4.4.8-12.el7.ppc.rpm lftp-4.4.8-12.el7.ppc64.rpm lftp-debuginfo-4.4.8-12.el7.ppc.rpm lftp-debuginfo-4.4.8-12.el7.ppc64.rpm ppc64le: lftp-4.4.8-12.el7.ppc64le.rpm lftp-debuginfo-4.4.8-12.el7.ppc64le.rpm s390x: lftp-4.4.8-12.el7.s390.rpm lftp-4.4.8-12.el7.s390x.rpm lftp-debuginfo-4.4.8-12.el7.s390.rpm lftp-debuginfo-4.4.8-12.el7.s390x.rpm x86_64: lftp-4.4.8-12.el7.i686.rpm lftp-4.4.8-12.el7.x86_64.rpm lftp-debuginfo-4.4.8-12.el7.i686.rpm lftp-debuginfo-4.4.8-12.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v.7): noarch: lftp-scripts-4.4.8-12.el7.noarch.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: lftp-4.4.8-12.el7.src.rpm x86_64: lftp-4.4.8-12.el7.i686.rpm lftp-4.4.8-12.el7.x86_64.rpm lftp-debuginfo-4.4.8-12.el7.i686.rpm lftp-debuginfo-4.4.8-12.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: lftp-scripts-4.4.8-12.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2018-10916 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/7.8_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXoOb1NzjgjWX9erEAQgcNw//THaJfpVdWni1Ne9pqc4wxdTbPA4H6c77 bGrnl84y+KHmyEkgrKve0zVV7+8AEf0c23uhCHOQC4/hOR8EZYAOxYtKx8xmnys7 h+5uzSqF0CSHSoNjDUgKV6O+0dWdML9Jm2p8F1nTw5TjcTgnxTU13MGZVHV6mrec 4A6EdSJ5dXgw+zxUbVdAgrRgeYGmxyu1wJn/tobafe3f5Si/+yEwFzkgK/+xKd7y 8lQTorO6iNDyu7qrUhPW1SeKs3EUfL4ChaPZHjbUIQt+Uzr+ip9rttvJ9mCaeE/E kIOHlwjFV30kbCQhYNyWP5tmvcXt7DRLILV48T0je5XDy9fP2bSUMIt9/snx3bT1 NHkdGASk6TxybxfSb6a7COqGlZcPbAjqusQCRA5/94csQzck3Xe7Bj8DHZCMsRxk 2PUGpiUIwkVZKA48t6mJ8uRutOjyrj5L/gGfZ7aI9mVqGzvaufbSUgfphaWmqkfZ xQ+o/p5fC8f6gSMogH5F9Av26BR/BQDfs3+5/JiMxm8vbtuEGRAz/VXIQXugrrjh Pcr5R33woqBEJ3wZz/AAPR23jHpBbwQpQzmVO6y5/nI+j2s4/dUPmQYXS05bV1NF I/EkNN4FO1jctqBw8W7CGgOLVL+gyNaNvJnOOU4jalSmqH0HbkuYchN0DCjAWJ0l BUWsmnptu/g=Kfas -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Mar 31, 2020
Red Hat
202
security advisorylftpfile handlingopenSUSE Leap 15.0: openSUSE-SU-2019:1110-1 Moderate: lftp File Issue
An update that solves one vulnerability and has one errata is now available.. openSUSE Security Update: Security update for lftp ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:1110-1 Rating: moderate References: #1103367 #1120946 Cross-References: CVE-2018-10916 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for lftp fixes the following issues: Security issue fixed: - CVE-2018-10916: Fixed an improper file name sanitization which could lead to loss of integrity of the local system (bsc#1103367). Other issue addressed: - The SSH login handling code detects password prompts more reliably (bsc#1120946). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2019-1110=1 Package List: - openSUSE Leap 15.0 (x86_64): lftp-4.8.3-lp150.3.3.1 lftp-debuginfo-4.8.3-lp150.3.3.1 lftp-debugsource-4.8.3-lp150.3.3.1 References: https://www.suse.com/security/cve/CVE-2018-10916.html https://bugzilla.suse.com/1103367 https://bugzilla.suse.com/1120946 -- . Debian Security Update for wget resolves a minor vulnerability that impacts user data through network transactions.. openSUSE Security,lftp Update,moderate Threat,System Integrity,File Handling Issue. . LinuxSecurity.com Team
Apr 02, 2019
OpenSUSE
100
security advisorymoderatefile integritySUSE: 2019:0643-1 Moderate Vulnerability in lftp File Integrity
An update that solves one vulnerability and has one errata is now available. . SUSE Security Update: Security update for lftp ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:0643-1 Rating: moderate References: #1103367 #1120946 Cross-References: CVE-2018-10916 Affected Products: SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for lftp fixes the following issues: Security issue fixed: - CVE-2018-10916: Fixed an improper file name sanitization which could lead to loss of integrity of the local system (bsc#1103367). Other issue addressed: - The SSH login handling code detects password prompts more reliably (bsc#1120946). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-643=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): lftp-4.8.3-4.3.1 lftp-debuginfo-4.8.3-4.3.1 lftp-debugsource-4.8.3-4.3.1 References: https://www.suse.com/security/cve/CVE-2018-10916.html https://bugzilla.suse.com/1103367 https://bugzilla.suse.com/1120946 _______________________________________________ sle-security-updates mailing list
Mar 19, 2019
SuSE
100
security advisorymoderatefile integritySUSE: 2019:0642-1 Moderate: lftp Improper File Sanitization
An update that solves one vulnerability and has one errata is now available. . SUSE Security Update: Security update for lftp ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:0642-1 Rating: moderate References: #1103367 #1120946 Cross-References: CVE-2018-10916 Affected Products: SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Desktop 12-SP4 SUSE Linux Enterprise Desktop 12-SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for lftp fixes the following issues: Security issue fixed: - CVE-2018-10916: Fixed an improper file name sanitization which could lead to loss of integrity of the local system (bsc#1103367). Other issue addressed: - The SSH login handling code detects password prompts more reliably (bsc#1120946). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-642=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-642=1 - SUSE Linux Enterprise Desktop 12-SP4: zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-642=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2019-642=1 Package List: - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): lftp-4.7.4-3.6.1 lftp-debuginfo-4.7.4-3.6.1 lftp-debugsource-4.7.4-3.6.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): lftp-4.7.4-3.6.1 lftp-debuginfo-4.7.4-3.6.1 lftp-debugsource-4.7.4-3.6.1 - SUSE Linux Enterprise Desktop 12-SP4 (x86_64): lftp-4.7.4-3.6.1 lftp-debuginfo-4.7.4-3.6.1 lftp-debugsource-4.7.4-3.6.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): lftp-4.7.4-3.6.1 lftp-debuginfo-4.7.4-3.6.1 lftp-debugsource-4.7.4-3.6.1 References: https://www.suse.com/security/cve/CVE-2018-10916.html https://bugzilla.suse.com/1103367 https://bugzilla.suse.com/1120946 _______________________________________________ sle-security-updates mailing list
Mar 19, 2019
•Important
SuSE
172
security advisorydenial of servicelftpUbuntu 12.04 ESM USN-3731-2 Moderate lftp Denial Of Service
LFTP could be made to crash if it received specially crafted file.. =========================================================================Ubuntu Security Notice USN-3731-2 August 06, 2018 lftp vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 ESM Summary: LFTP could be made to crash if it received specially crafted file. Software Description: - lftp: Sophisticated command-line FTP/HTTP client programs Details: USN-3731-1 fixed a vulnerability in LFTP. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that LFTP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 ESM: lftp 4.3.3-1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-3731-2 https://ubuntu.com/security/notices/USN-3731-1 CVE-2018-10916 . A vulnerability in LFTP identified in USN-3731-2 affecting Ubuntu 12.04 ESM poses risks of system crashes due to specially crafted input files.. LFTP Vulnerability, Ubuntu ESM, Denial Of Service, Security Notice, System Update. . LinuxSecurity.com Team
Aug 06, 2018
Ubuntu
172
security advisorydenial of servicesecurity issueUbuntu 18.04 LTS: USN-3742-1 Critical: LFTP Denial of Service
LFTP could be made to crash if it received specially crafted file.. =========================================================================Ubuntu Security Notice USN-3731-1 August 06, 2018 lftp vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: LFTP could be made to crash if it received specially crafted file. Software Description: - lftp: Sophisticated command-line FTP/HTTP/BitTorrent client programs Details: It was discovered that LFTP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: lftp 4.8.1-1ubuntu0.1 Ubuntu 16.04 LTS: lftp 4.6.3a-1ubuntu0.1 Ubuntu 14.04 LTS: lftp 4.4.13-1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-3731-1 CVE-2018-10196 Package Information: https://launchpad.net/ubuntu/+source/lftp/4.8.1-1ubuntu0.1 https://launchpad.net/ubuntu/+source/lftp/4.6.3a-1ubuntu0.1 https://launchpad.net/ubuntu/+source/lftp/4.4.13-1ubuntu0.1 . Ubuntu Security Notice USN-3732-1 highlights a critical vulnerability in libcurl that could result in a potential denial of service.. Ubuntu LFTP Vulnerability, Denial of Service, Security Update. . Severity: Critical. LinuxSecurity.com Team
Aug 06, 2018
•Critical
Ubuntu
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!