• This forum has a zero tolerance policy regarding spam. If you register here to publish advertising, your user account will be deleted without further questions.

Updated lftp packages fix security vulnerability

Thorsten

SSF Facilitymanagement
Staff member
Topic
Updated lftp packages are now available that fix a buffer overflow
security vulnerability.
Description
lftp is a command-line file transfer program supporting FTP and HTTP
protocols.

Ulf Härnhammar discovered a buffer overflow bug in versions of lftp up to
and including 2.6.9. An attacker could create a carefully crafted
directory on a website such that, if a user connects to that directory
using the lftp client and subsequently issues a 'ls' or 'rels' command, the
attacker could execute arbitrary code on the users machine. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0963 to this issue.

Users of lftp are advised to upgrade to these erratum packages, which
contain a backported security patch and are not vulnerable to this issue.

Red Hat would like to thank Ulf Härnhammar for discovering and alerting us
to this issue.
Affected Channels
Red Hat Linux 7.2 i386
Red Hat Linux 7.2 ia64
Red Hat Linux 7.3 i386
Red Hat Linux 8.0 i386
Red Hat Linux 9 i386

Fixes
(none)
Keywords
(none)
CVEs
CAN-2003-0963
References
(none)
Notes
(none)

Cop
 
Back
Top