167535 2007-02-18 21:13 0000 net-ftp/lftp-3.5.9 mark stable (due 20060319) (was: version bump) 2007-05-06 11:01:34 0000 1 1 1 Unclassified Gentoo Linux Ebuilds 2006.1 All Linux RESOLVED FIXED P2 enhancement --- 1 dev-zero@gentoo.org dragonheart@gentoo.org dev-zero@gentoo.org 2007-02-18 21:13:56 0000 From the ChangeLog: 2007-01-09: lftp-3.5.9 released. Fixed a potential security vulnerability in mirror --script. 2006-12-28: lftp-3.5.8 released. Fixed sleep command. 2006-12-08: lftp-3.5.7 released. Fixed a spurious timeout when uploading a file. [...] Therefore it might be a good idea to directly mark the new version stable. dragonheart@gentoo.org 2007-02-19 08:39:30 0000 ------> /usr/share/doc/lftp-3.5.9/NEWS.bz2 <------ Version 3.5.9 - 2007-01-09 * fixed `mirror --script' which generated improperly quoted shell commands (potential security vulnerability, when someone executes the resulting script). I'm not considering this a real security vulerability. The announce would probably look like "If a user runs a lftp mirror scripted by someone else they could arbitarliy execute code". Feel free to disagree. Otherwise - stable in 30 days. dragonheart@gentoo.org 2007-05-06 11:01:34 0000 opps - must of been forgetting stuff. seems fixed in bug 173524