Summary: | lftp 2.6.10 released (with *security* fix) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Marc Bevand <bevand_m> |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | ppc, security, trance |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://ftp.yars.free.net/pub/software/unix/net/ftp/client/lftp/ | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Marc Bevand
2003-12-15 04:52:28 UTC
from <http://lftp.yar.ru/news.html>: Version 2.6.10 - 2003-12-11 Some bugs fixed. security fixes in html parsing code. fxp between ftps session is now possible (unencrypted yet). fixed a rare bug with access to freed memory in ftp. fixed a bug in mirror, now it does not incorrectly append directory name when target directory is the root. fixed compilation on AIX. Polish translation updated. okay, updated. removing all builds I can (safely) do. Testing in progress. Remove what remains as you release the advisory. tested on all arches that has it stable. all old builds removed. trance: can you look at why this is in the lftp changelog: 11 Apr 2003; Graham Forest <vladimir@gentoo.org> lftp-2.5.4-r1.ebuild, lftp-2.6.2.ebuild, lftp-2.6.3.ebuild, lftp-2.6.4.ebuild, lftp-2.6.5.ebuild: -ppc'd until >=sys-devel/binutils-2.13.90.0.20 is ok on ppc that version of binutils is still not stable on ppc. ppc is already way beyond that binutils version, lftp 2.6.10 works glsa 200312-07 sent as: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200312-07 - -------------------------------------------------------------------------- GLSA: 200312-07 Package: net-ftp/lftp Summary: Two buffer overflow problems found in lftp Severity: minimal Gentoo bug: 35866 Date: 2003-12-16 CVE: CAN-2003-0963 Exploit: remote Affected: <=2.6.9 Fixed: >=2.6.10 DESCRIPTION: Two buffer overflow problems have been found in lftp, a multithreaded command-line based FTP client. A specially created directory on a web server could be used to execute arbitrary code on the connecting machine. The user's machine has to connect to a malicious web server using HTTP or HTTPS, then issue an "ls" or "rels" command. Please see <http://www.securityfocus.com/archive/1/347587/2003-12-13/2003-12-19/0> for more details on this problem. SOLUTION: All machines which have net-ftp/lftp installed should be updated to use version 2.6.10 or higher using these commands: emerge sync emerge -pv '>=net-ftp/lftp-2.6.10' emerge '>=net-ftp/lftp-2.6.10' emerge clean // end -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/4U3Wnt0v0zAqOHYRAm7VAJsHDxrJLLQOU51blaP2VMCjkt/+dQCcC6zP m/ELiJH0C0PukA++i1CfCmc= =h16K -----END PGP SIGNATURE----- |