Please Install the Updated Packages.

LFTP is a sophisticated file transfer program for the FTP and HTTP protocols. Like Bash, it has job control and uses the Readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind. It was discovered that lftp trusted the file name provided in the Content-Disposition HTTP header. A malicious HTTP server could use this flaw to write or overwrite files in the current working directory of a victim running lftp, by sending a different file from what the victim requested. (CVE-2010-2251) To correct this flaw, the following changes were made to lftp: the &quot xfer:clobber&quot option now defaults to &quot no&quot , causing lftp to not overwrite existing files, and a new option, &quot xfer:auto-rename&quot , which defaults to &quot no&quot , has been introduced to control whether lftp should use server-suggested file names. Refer to the &quot Settings&quot section of the lftp(1) manual page for additional details on changing lftp settings. All lftp users should upgrade to this updated package, which contains a backported patch to correct this issue.

lftp on CentOS 5

• http://lists.centos.org/pipermail/centos-announce/2010-August/016860.html

---

Updated on 2015-03-25