Solution
Please Install the Updated Packages.
Insight
LFTP is a sophisticated file transfer program for the FTP and HTTP protocols. Like Bash, it has job control and uses the Readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind.
It was discovered that lftp trusted the file name provided in the Content-Disposition HTTP header. A malicious HTTP server could use this flaw to write or overwrite files in the current working directory of a victim running lftp, by sending a different file from what the victim requested. (CVE-2010-2251)
To correct this flaw, the following changes were made to lftp: the "
xfer:clobber"
option now defaults to "
no"
, causing lftp to not overwrite
existing files, and a new option, "
xfer:auto-rename"
, which defaults to
"
no"
, has been introduced to control whether lftp should use server-suggested file names. Refer to the "
Settings"
section of the lftp(1)
manual page for additional details on changing lftp settings.
All lftp users should upgrade to this updated package, which contains a backported patch to correct this issue.
Affected
lftp on Red Hat Enterprise Linux (v. 5 server)
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2010-2251 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities