<<< Date Index >>>     <<< Thread Index >>>

GLSA: lftp (200312-07)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- --------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-07
- --------------------------------------------------------------------------

GLSA:        200312-07
Package:     net-ftp/lftp
Summary:     Two buffer overflow problems found in lftp
Severity:    minimal
Gentoo bug:  35866
Date:        2003-12-16
CVE:         CAN-2003-0963
Exploit:     remote
Affected:    <=2.6.9
Fixed:       >=2.6.10


DESCRIPTION:

Two buffer overflow problems have been found in lftp, a multithreaded
command-line based FTP client. A specially created directory on a web
server could be used to execute arbitrary code on the connecting machine.
The user's machine has to connect to a malicious web server using HTTP or
HTTPS, then issue an "ls" or "rels" command.

Please see
<http://www.securityfocus.com/archive/1/347587/2003-12-13/2003-12-19/0>
for more details on this problem.


SOLUTION:

All machines which have net-ftp/lftp installed should be updated to use
version 2.6.10 or higher using these commands:

        emerge sync
        emerge -pv '>=net-ftp/lftp-2.6.10'
        emerge '>=net-ftp/lftp-2.6.10'
        emerge clean


// end

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/4U3Wnt0v0zAqOHYRAm7VAJsHDxrJLLQOU51blaP2VMCjkt/+dQCcC6zP
m/ELiJH0C0PukA++i1CfCmc=
=h16K
-----END PGP SIGNATURE-----