LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: September 22nd, 2014
Linux Advisory Watch: September 19th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: 2010:128: lftp Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake A vulnerability has been found and corrected in lftp: The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to [More...]
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:128
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : lftp
 Date    : July 6, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in lftp:
 
 The get1 command, as used by lftpget, in LFTP before 4.0.6 does not
 properly validate a server-provided filename before determining the
 destination filename of a download, which allows remote servers to
 create or overwrite arbitrary files via a Content-Disposition header
 that suggests a crafted filename, and possibly execute arbitrary
 code as a consequence of writing to a dotfile in a home directory
 (CVE-2010-2251).
 
 Packages for 2008.0 and 2009.0 are provided as of the Extended
 Maintenance Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 Additionally on 2008.0 lftp has been upgraded to 3.7.4.
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2251
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 70002b25ea687e18daaf1d2d650d2311  2008.0/i586/lftp-3.7.4-0.1mdv2008.0.i586.rpm
 267d114587a3bb33a1924eafa2e53681  2008.0/i586/liblftp0-3.7.4-0.1mdv2008.0.i586.rpm
 670405b305aa03dcbe2c340a2813e2bd  2008.0/i586/liblftp-devel-3.7.4-0.1mdv2008.0.i586.rpm 
 4a37f82002ea3042d5f66562dad92837  2008.0/SRPMS/lftp-3.7.4-0.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 e53191e7cc41c58982deddf3e7e628ce  2008.0/x86_64/lftp-3.7.4-0.1mdv2008.0.x86_64.rpm
 d518833d3ea17bde4a77b388c20ee262  2008.0/x86_64/lib64lftp0-3.7.4-0.1mdv2008.0.x86_64.rpm
 2c88562a368ccdf00841d4e044c8f012  2008.0/x86_64/lib64lftp-devel-3.7.4-0.1mdv2008.0.x86_64.rpm 
 4a37f82002ea3042d5f66562dad92837  2008.0/SRPMS/lftp-3.7.4-0.1mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 a04887286756ecf0218e67981098ee00  2009.0/i586/lftp-3.7.4-1.1mdv2009.0.i586.rpm
 2c9165b6386ed899758a2ea404a9385d  2009.0/i586/liblftp0-3.7.4-1.1mdv2009.0.i586.rpm
 8c86068b9e839b47a93c23541456b3cc  2009.0/i586/liblftp-devel-3.7.4-1.1mdv2009.0.i586.rpm 
 187fb4a21859de94bf111fdb21f22c4c  2009.0/SRPMS/lftp-3.7.4-1.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 18e95b0f96e05c4f4d08ff7ff0ec29b0  2009.0/x86_64/lftp-3.7.4-1.1mdv2009.0.x86_64.rpm
 0b53aff2ff5bd9fb9cf36dfdedd3c582  2009.0/x86_64/lib64lftp0-3.7.4-1.1mdv2009.0.x86_64.rpm
 e6461691120dadda1f414a1611e4ece0  2009.0/x86_64/lib64lftp-devel-3.7.4-1.1mdv2009.0.x86_64.rpm 
 187fb4a21859de94bf111fdb21f22c4c  2009.0/SRPMS/lftp-3.7.4-1.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 d9069ed3bb5e11948564e280565f0768  2009.1/i586/lftp-3.7.9-1.1mdv2009.1.i586.rpm
 80a0214dcea80af012c07eea76c4e5c7  2009.1/i586/liblftp0-3.7.9-1.1mdv2009.1.i586.rpm
 a5c2a6e01c53d6dd1d990bcdbeb1c68c  2009.1/i586/liblftp-devel-3.7.9-1.1mdv2009.1.i586.rpm 
 2e8cab06f3d9a82ea69ad764e189bb4a  2009.1/SRPMS/lftp-3.7.9-1.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 97657f39c592d50f47c8f65df94a2e19  2009.1/x86_64/lftp-3.7.9-1.1mdv2009.1.x86_64.rpm
 e029a26bf63f859393b05ad8be3121c4  2009.1/x86_64/lib64lftp0-3.7.9-1.1mdv2009.1.x86_64.rpm
 374fe6c5118959366aa568861e868b49  2009.1/x86_64/lib64lftp-devel-3.7.9-1.1mdv2009.1.x86_64.rpm 
 2e8cab06f3d9a82ea69ad764e189bb4a  2009.1/SRPMS/lftp-3.7.9-1.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 7e40d6fed798df5e6e2ad91f0518f1fe  2010.0/i586/lftp-3.7.15-1.1mdv2010.0.i586.rpm
 a0f2d233784d358a9b908650e69c2ccc  2010.0/i586/liblftp0-3.7.15-1.1mdv2010.0.i586.rpm
 217d90aadfc3344ec3cdc0dedb97e819  2010.0/i586/liblftp-devel-3.7.15-1.1mdv2010.0.i586.rpm 
 862ebfc437fcbc900662366f93df5d70  2010.0/SRPMS/lftp-3.7.15-1.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 54b1fec82936e06338906db09b49a8a6  2010.0/x86_64/lftp-3.7.15-1.1mdv2010.0.x86_64.rpm
 17598246912347e614013f002338365d  2010.0/x86_64/lib64lftp0-3.7.15-1.1mdv2010.0.x86_64.rpm
 aa6338f3dd92dbc7adf3ae978db61a5b  2010.0/x86_64/lib64lftp-devel-3.7.15-1.1mdv2010.0.x86_64.rpm 
 862ebfc437fcbc900662366f93df5d70  2010.0/SRPMS/lftp-3.7.15-1.1mdv2010.0.src.rpm

 Mandriva Enterprise Server 5:
 e0fe03efa978c234e8365fe9ab08ad9c  mes5/i586/lftp-3.7.4-1.1mdvmes5.1.i586.rpm
 1c57f9608cbd607bda8bf55bc76600d9  mes5/i586/liblftp0-3.7.4-1.1mdvmes5.1.i586.rpm
 dff1c808bb1cfa0b0e067e6c41b3db03  mes5/i586/liblftp-devel-3.7.4-1.1mdvmes5.1.i586.rpm 
 5d46343519e5e1a495ed1d7980527dd6  mes5/SRPMS/lftp-3.7.4-1.1mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 aa0674de92d88ea5520e6c86e77fa3e6  mes5/x86_64/lftp-3.7.4-1.1mdvmes5.1.x86_64.rpm
 c415d4ff0363c8c264de64f019e988b0  mes5/x86_64/lib64lftp0-3.7.4-1.1mdvmes5.1.x86_64.rpm
 26f7432fb7542a7f0eaecea1b947e47d  mes5/x86_64/lib64lftp-devel-3.7.4-1.1mdvmes5.1.x86_64.rpm 
 5d46343519e5e1a495ed1d7980527dd6  mes5/SRPMS/lftp-3.7.4-1.1mdvmes5.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Google to turn on encryption by default in next Android version
TOR users become FBI's No.1 hacking target after legal power grab
OWASP Releases Latest App Sec Guide
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.