11118232 2003-12-18 02:01 -0500 /60 rader/ Rajiv Aaron Manglani <rajiv@gentoo.org>
Importerad: 2003-12-18 21:18 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30408>
Ärende: GLSA: lftp (200312-07)
------------------------------------------------------------
From: Rajiv Aaron Manglani <rajiv@gentoo.org>
To: bugtraq@securityfocus.com
Message-ID: <a05210602bc0700788438@[10.96.0.12]>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- --------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-07
- --------------------------------------------------------------------------

GLSA:        200312-07
Package:     net-ftp/lftp
Summary:     Two buffer overflow problems found in lftp
Severity:    minimal
Gentoo bug:  35866
Date:        2003-12-16
CVE:         CAN-2003-0963
Exploit:     remote
Affected:    <=2.6.9
Fixed:       >=2.6.10


DESCRIPTION:

Two buffer overflow problems have been found in lftp, a multithreaded
command-line based FTP client. A specially created directory on a web
server could be used to execute arbitrary code on the connecting
machine.  The user's machine has to connect to a malicious web server
using HTTP or HTTPS, then issue an "ls" or "rels" command.

Please see
<http://www.securityfocus.com/archive/1/347587/2003-12-13/2003-12-19/0>
for more details on this problem.


SOLUTION:

All machines which have net-ftp/lftp installed should be updated to
use version 2.6.10 or higher using these commands:

        emerge sync
        emerge -pv '>=net-ftp/lftp-2.6.10'
        emerge '>=net-ftp/lftp-2.6.10'
        emerge clean


// end

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/4U3Wnt0v0zAqOHYRAm7VAJsHDxrJLLQOU51blaP2VMCjkt/+dQCcC6zP
m/ELiJH0C0PukA++i1CfCmc=
=h16K
-----END PGP SIGNATURE-----
(11118232) /Rajiv Aaron Manglani <rajiv@gentoo.org>/(Ombruten)