Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
| Bug#: 167535 | Product: Gentoo Linux | Version: 2006.1 | Platform: All |
| OS/Version: Linux | Status: RESOLVED | Severity: enhancement | Priority: P2 |
| Resolution: FIXED | Assigned To: dragonheart@gentoo.org | Reported By: dev-zero@gentoo.org | |
| Component: Ebuilds | |||
| URL: | |||
| Summary: net-ftp/lftp-3.5.9 mark stable (due 20060319) (was: version bump) | |||
| Keywords: | |||
| Status Whiteboard: | |||
| Opened: 2007-02-18 21:13 0000 | |||
| Description: | Opened: 2007-02-18 21:13 0000 |
From the ChangeLog: 2007-01-09: lftp-3.5.9 released. Fixed a potential security vulnerability in mirror --script. 2006-12-28: lftp-3.5.8 released. Fixed sleep command. 2006-12-08: lftp-3.5.7 released. Fixed a spurious timeout when uploading a file. [...] Therefore it might be a good idea to directly mark the new version stable.
------> /usr/share/doc/lftp-3.5.9/NEWS.bz2 <------ Version 3.5.9 - 2007-01-09 * fixed `mirror --script' which generated improperly quoted shell commands (potential security vulnerability, when someone executes the resulting script). I'm not considering this a real security vulerability. The announce would probably look like "If a user runs a lftp mirror scripted by someone else they could arbitarliy execute code". Feel free to disagree. Otherwise - stable in 30 days.
opps - must of been forgetting stuff. seems fixed in bug 173524