Date: Thu, 18 Dec 2003 02:01:01 -0500
From: Rajiv Aaron Manglani <rajiv@gentoo.org>
To: bugtraq@securityfocus.com
Subject: GLSA: lftp (200312-07)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-07
- --------------------------------------------------------------------------
GLSA: 200312-07
Package: net-ftp/lftp
Summary: Two buffer overflow problems found in lftp
Severity: minimal
Gentoo bug: 35866
Date: 2003-12-16
CVE: CAN-2003-0963
Exploit: remote
Affected: <=2.6.9
Fixed: >=2.6.10
DESCRIPTION:
Two buffer overflow problems have been found in lftp, a multithreaded
command-line based FTP client. A specially created directory on a web
server could be used to execute arbitrary code on the connecting machine.
The user's machine has to connect to a malicious web server using HTTP or
HTTPS, then issue an "ls" or "rels" command.
Please see
<http://www.securityfocus.com/archive/1/347587/2003-12-13/2003-12-19/0>;
for more details on this problem.
SOLUTION:
All machines which have net-ftp/lftp installed should be updated to use
version 2.6.10 or higher using these commands:
emerge sync
emerge -pv '>=net-ftp/lftp-2.6.10'
emerge '>=net-ftp/lftp-2.6.10'
emerge clean
// end
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/4U3Wnt0v0zAqOHYRAm7VAJsHDxrJLLQOU51blaP2VMCjkt/+dQCcC6zP
m/ELiJH0C0PukA++i1CfCmc=
=h16K
-----END PGP SIGNATURE-----
