[SECURITY] Fedora Core 1 Update: lftp

Nalin Dahyabhai nalin at redhat.com
Mon Dec 15 16:18:59 UTC 2003 

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2003-025
2003-12-12
---------------------------------------------------------------------

Name        : lftp
Version     : 2.6.10                      
Release     : 1                  
Summary     : A sophisticated file transfer program
Description :
LFTP is a sophisticated ftp/http file transfer program. Like bash, it
has job control and uses the readline library for input. It has
bookmarks, built-in mirroring, and can transfer several files in
parallel. It is designed with reliability in mind.

---------------------------------------------------------------------

Update Information:

Ulf Härnhammar found a remotely-triggerable buffer overflow in lftp.

An attacker could create a carefully crafted directory on a website
such that, if a user connects to that directory using the lftp client
and subsequently issues a 'ls' or 'rels' command, the attacker could
execute arbitrary code on the users machine. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0963 to this issue.

Users of lftp are advised to upgrade to these erratum packages, which
upgrade lftp to a version which is not vulnerable to this issue.

Red Hat would like to thank Ulf Härnhammar for discovering and
alerting us to this issue. 

---------------------------------------------------------------------

* Fri Dec 12 2003 Nalin Dahyabhai <nalin at redhat.com> 2.6.10-1

- update to 2.6.10, which folds in the previous patches
- configure with --with-debug so that we get useful debug info

* Tue Dec 09 2003 Nalin Dahyabhai <nalin at redhat.com> 2.6.9-1

- include patch based on patch from Ulf Härnhammar to fix unsafe use of
  sscanf when reading http directory listings (CAN-2003-0963)
- include patch based on patch from Ulf Härnhammar to fix compile warnings
  modified based on input from Solar Designer

* Mon Dec 08 2003 Nalin Dahyabhai <nalin at redhat.com>

- update to 2.6.9

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

b36e31c19e088ee086afc9c42dacd471  SRPMS/lftp-2.6.10-1.src.rpm
1a6ab3a0b3df685cc1354bf4740a7201  i386/lftp-2.6.10-1.i386.rpm
7c70562d0c91db1b15d21d0f56f32ea0  i386/debug/lftp-debuginfo-2.6.10-1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-announce-list/attachments/20031215/2db94456/attachment.sig>

More information about the fedora-announce-list mailing list