lftp-3.7.11-4.AXS3.3

エラータID: AXSA:2010-400:01

Release date: 
Friday, August 6, 2010 - 20:37
Subject: 
lftp-3.7.11-4.AXS3.3
Affected Channels: 
Asianux Server 3 for x86
Asianux Server 3 for x86_64
Severity: 
High
Description: 

LFTP is a sophisticated ftp/http file transfer program. Like bash, it has job control and uses the readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind.
Security issues fixed with this release:
CVE-2010-2251
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

Solution: 

Update packages.

CVEs: 
CVE-2010-2251
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.


Additional Info: 

N/A

Download: 

SRPMS
  1. lftp-3.7.11-4.AXS3.3.src.rpm
    MD5: 023ccd4037ea8369365277b0bd5389c6
    SHA-256: 1d6bb9acf263df4ccc6dd37eb80a729e90f38001c23e5100dd359a25e16e088f
    Size: 1.44 MB

Asianux Server 3 for x86
  1. lftp-3.7.11-4.AXS3.3.i386.rpm
    MD5: 8f14e843f6e3311c893da54116cdfcdb
    SHA-256: eb82c80fd3bf424bd632f604525824a89e25c6c2abe7a468db468d5f106e8b72
    Size: 933.74 kB

Asianux Server 3 for x86_64
  1. lftp-3.7.11-4.AXS3.3.x86_64.rpm
    MD5: 784000362a33d450b38b55359aa74c39
    SHA-256: b378c2bad7d76c647d2144c8c8e0f2cf3298dd4364b1cff399ae483e4a2aaaae
    Size: 960.52 kB