Ubuntu Security Notice USN-984-1
7th September, 2010
lftp vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
- Ubuntu 9.10
- Ubuntu 9.04
- Ubuntu 8.04 LTS
Software description
- lftp
Details
It was discovered that LFTP incorrectly filtered filenames suggested
by Content-Disposition headers. If a user or automated system were tricked
into downloading a file from a malicious site, a remote attacker could
create the file with an arbitrary name, such as a dotfile, and possibly run
arbitrary code.
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 10.04 LTS:
- lftp 4.0.2-1ubuntu0.1
- Ubuntu 9.10:
- lftp 3.7.15-1ubuntu2.1
- Ubuntu 9.04:
- lftp 3.7.8-1ubuntu0.1
- Ubuntu 8.04 LTS:
- lftp 3.6.1-1ubuntu0.1
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
ATTENTION: This update changes previous behaviour by ignoring the filename
supplied by servers in Content-Disposition headers. To re-enable previous
behaviour, use the new xfer:auto-rename setting.