lftp-3.7.11-4AXS3

エラータID: AXSA:2009-390:01

Release date: 
Tuesday, September 8, 2009 - 10:16
Subject: 
lftp-3.7.11-4AXS3
Affected Channels: 
Asianux Server 3 for x86
Asianux Server 3 for x86_64
Severity: 
High
Description: 

LFTP is a sophisticated ftp/http file transfer program. Like bash, it has job control and uses the readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind.
Security bugs fixed by this release:
CVE-2007-2348
mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as get which could overwrite executable files.

Solution: 

Update packages.

CVEs: 
CVE-2007-2348
mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.


Additional Info: 

N/A

Download: 

SRPMS
  1. lftp-3.7.11-4AXS3.src.rpm
    MD5: 037155037e27bfd9c21a70d8fb63ea33
    SHA-256: df120c557b40784fd8d1e4f9f2481f921ebf554a9c42c5170f6daf7b16eb6c3c
    Size: 1.44 MB

Asianux Server 3 for x86
  1. lftp-3.7.11-4AXS3.i386.rpm
    MD5: 9b2064ccd2b4039e9c71b914e0aaf074
    SHA-256: 21508a8e26d94c40a0bf8e0f22d5402320d62e6016395b90dae60bceeb5a0fca
    Size: 932.55 kB

Asianux Server 3 for x86_64
  1. lftp-3.7.11-4AXS3.x86_64.rpm
    MD5: 6ddd5e8a9a89b920a61f6d0e7ba56f0d
    SHA-256: ad970af264b2738c270af613f8bdf2ab6e5712e0da3488765e69be86f8b5ac9e
    Size: 959.34 kB