CVE-2010-2251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2251): The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
Please remove vulnerable versions.
(In reply to comment #1) > Please remove vulnerable versions. We're not done stabilising 4.0.9 yet (bug #327979). Arches, please continue stabilising: =net-ftp/lftp-4.0.9 Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86" Stable for PPC.
*** Bug 327979 has been marked as a duplicate of this bug. ***
alpha/arm/ia64/s390/sparc stable
ppc64 done
Vulnerable version 4.0.5 is out of the tree.
jer: *never* change whiteboard, if you do not know the exact procedure. It's changed to glsa after we filed a glsa request only! GLSA request filed.
This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle).