---

Fedora Core Advisory: lftp


Fedora Update Notification
FEDORA-2003-025
2003-12-12


Name : lftp
Version : 2.6.10
Release : 1
Summary : A sophisticated file transfer program

Description :
LFTP is a sophisticated ftp/http file transfer program. Like bash,
it has job control and uses the readline library for input. It has
bookmarks, built-in mirroring, and can transfer several files in
parallel. It is designed with reliability in mind.


Update Information:

Ulf Härnhammar found a remotely-triggerable buffer overflow
in lftp.

An attacker could create a carefully crafted directory on a
website such that, if a user connects to that directory using the
lftp client and subsequently issues a ‘ls’ or ‘rels’ command, the
attacker could execute arbitrary code on the users machine. The
Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2003-0963 to this issue.

Users of lftp are advised to upgrade to these erratum packages,
which upgrade lftp to a version which is not vulnerable to this
issue.

Red Hat would like to thank Ulf Härnhammar for discovering
and alerting us to this issue.


  • Fri Dec 12 2003 Nalin Dahyabhai <nalin@redhat.com> 2.6.10-1
    • update to 2.6.10, which folds in the previous patches
    • configure with –with-debug so that we get useful debug
      info
  • Tue Dec 09 2003 Nalin Dahyabhai <nalin@redhat.com> 2.6.9-1
    • include patch based on patch from Ulf H=E4rnhammar to fix
      unsafe use of sscanf when reading http directory listings
      (CAN-2003-0963)
    • include patch based on patch from Ulf H=E4rnhammar to fix
      compile warnings modified based on input from Solar Designer
  • Mon Dec 08 2003 Nalin Dahyabhai <nalin@redhat.com>
    • update to 2.6.9

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

b36e31c19e088ee086afc9c42dacd471 SRPMS/lftp-2.6.10-1.src.rpm
1a6ab3a0b3df685cc1354bf4740a7201 i386/lftp-2.6.10-1.i386.rpm
7c70562d0c91db1b15d21d0f56f32ea0
i386/debug/lftp-debuginfo-2.6.10-1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.


Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis