Slackware: lftp Code parsing vunlerability
Posted by LinuxSecurity.com Team   
Slackware According to the NEWS file, this includes "security fixes in html parsing code" which could cause a compromise when using lftp to access an untrusted site.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  lftp security update (SSA:2003-346-01)

lftp is a file transfer program that connects to other hosts
using FTP, HTTP, and other protocols.

A security problem with lftp has been corrected with the release
of lftp-2.6.10.  New packages are available for Slackware 8.1,
9.0, 9.1, and -current.  Any sites using lftp should upgrade to
the new packages.


Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Fri Dec 12 11:12:05 PST 2003
patches/packages/lftp-2.6.10-i486-1.tgz:  Upgraded to lftp-2.6.10.
  According to the NEWS file, this includes "security fixes in html
  parsing code" which could cause a compromise when using lftp to
  access an untrusted site.
  (* Security fix *)
+--------------------------+


WHERE TO FIND THE NEW PACKAGE:
+-----------------------------+

Updated package for Slackware 8.1: 
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/lftp-2.6.10-i386-1.tgz

Updated package for Slackware 9.0: 
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/lftp-2.6.10-i386-1.tgz

Updated package for Slackware 9.1: 
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/lftp-2.6.10-i486-1.tgz

Updated package for Slackware -current: 
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/lftp-2.6.10-i486-1.tgz


MD5 SIGNATURES:
+-------------+

Slackware 8.1 package:
1e7eae2a8279491d439f4494c8733aa2  lftp-2.6.10-i386-1.tgz

Slackware 9.0 package:
af80878951917a6683bc3076947f2632  lftp-2.6.10-i386-1.tgz

Slackware 9.1 package:
e053a1641f1f16de8d2659e70ca81c04  lftp-2.6.10-i486-1.tgz

Slackware -current package:
07e76203820f54983cbc4591cc830b97  lftp-2.6.10-i486-1.tgz


INSTALLATION INSTRUCTIONS:
+------------------------+

Upgrade the package as root:
# upgradepkg lftp-2.6.10-i486-1.tgz


+-----+

Slackware Linux Security Team 
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/2hdTakRjwEAQIjMRAmHbAKCQtw9UN4ItGNph3ca4CqtfJDZiyACfV5gc
0uX5KSFnwEb2k0tucmkKWzI=
=SQlB
-----END PGP SIGNATURE-----