Fedora Core Advisory: lftp | Linux Today

Fedora Core Advisory: lftp

Written By
Web Webster
Web Webster
Dec 15, 2003

Fedora Update Notification
FEDORA-2003-025
2003-12-12


Name : lftp
Version : 2.6.10
Release : 1
Summary : A sophisticated file transfer program

Description :
LFTP is a sophisticated ftp/http file transfer program. Like bash,
it has job control and uses the readline library for input. It has
bookmarks, built-in mirroring, and can transfer several files in
parallel. It is designed with reliability in mind.


Update Information:

Ulf Härnhammar found a remotely-triggerable buffer overflow
in lftp.

An attacker could create a carefully crafted directory on a
website such that, if a user connects to that directory using the
lftp client and subsequently issues a ‘ls’ or ‘rels’ command, the
attacker could execute arbitrary code on the users machine. The
Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2003-0963 to this issue.

Users of lftp are advised to upgrade to these erratum packages,
which upgrade lftp to a version which is not vulnerable to this
issue.

Red Hat would like to thank Ulf Härnhammar for discovering
and alerting us to this issue.


  • Fri Dec 12 2003 Nalin Dahyabhai <nalin@redhat.com> 2.6.10-1
    • update to 2.6.10, which folds in the previous patches
    • configure with –with-debug so that we get useful debug
      info
  • Tue Dec 09 2003 Nalin Dahyabhai <nalin@redhat.com> 2.6.9-1
    • include patch based on patch from Ulf H=E4rnhammar to fix
      unsafe use of sscanf when reading http directory listings
      (CAN-2003-0963)
    • include patch based on patch from Ulf H=E4rnhammar to fix
      compile warnings modified based on input from Solar Designer
  • Mon Dec 08 2003 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.6.9

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

b36e31c19e088ee086afc9c42dacd471 SRPMS/lftp-2.6.10-1.src.rpm
1a6ab3a0b3df685cc1354bf4740a7201 i386/lftp-2.6.10-1.i386.rpm
7c70562d0c91db1b15d21d0f56f32ea0
i386/debug/lftp-debuginfo-2.6.10-1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.


Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.