--------------------------------------------------------------------- Fedora Update Notification FEDORA-2003-034 2003-12-15 --------------------------------------------------------------------- Name : lftp Version : 2.6.10 Release : 1 Summary : A sophisticated file transfer program Description : LFTP is a sophisticated ftp/http file transfer program. Like bash, it has job control and uses the readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind. --------------------------------------------------------------------- Update Information: Ulf Härnhammar found a remotely-triggerable buffer overflow in lftp. An attacker could create a carefully crafted directory on a website such that, if a user connects to that directory using the lftp client and subsequently issues a 'ls' or 'rels' command, the attacker could execute arbitrary code on the users machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0963 to this issue. Users of lftp are advised to upgrade to these erratum packages, which upgrade lftp to a version which is not vulnerable to this issue. Red Hat would like to thank Ulf Härnhammar for discovering and alerting us to this issue. This update notification is being re-issued to correct the advisory ID and issue date. The update packages themselves are unchanged. --------------------------------------------------------------------- * Fri Dec 12 2003 Nalin Dahyabhai <nalin@xxxxxxxxxx> 2.6.10-1 - update to 2.6.10, which folds in the previous patches - configure with --with-debug so that we get useful debug info * Tue Dec 09 2003 Nalin Dahyabhai <nalin@xxxxxxxxxx> 2.6.9-1 - include patch based on patch from Ulf Härnhammar to fix unsafe use of sscanf when reading http directory listings (CAN-2003-0963) - include patch based on patch from Ulf Härnhammar to fix compile warnings modified based on input from Solar Designer * Mon Dec 08 2003 Nalin Dahyabhai <nalin@xxxxxxxxxx> - update to 2.6.9 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/ b36e31c19e088ee086afc9c42dacd471 SRPMS/lftp-2.6.10-1.src.rpm 1a6ab3a0b3df685cc1354bf4740a7201 i386/lftp-2.6.10-1.i386.rpm 7c70562d0c91db1b15d21d0f56f32ea0 i386/debug/lftp-debuginfo-2.6.10-1.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. ---------------------------------------------------------------------
Attachment:
pgpn32zLHkt3E.pgp
Description: PGP signature
