USN-984-1: LFTP vulnerability

7 September 2010

lftp vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 10.04 LTS
  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.04 LTS


Software Description

  • lftp


It was discovered that LFTP incorrectly filtered filenames suggested by Content-Disposition headers. If a user or automated system were tricked into downloading a file from a malicious site, a remote attacker could create the file with an arbitrary name, such as a dotfile, and possibly run arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.04 LTS
lftp - 4.0.2-1ubuntu0.1
Ubuntu 9.10
lftp - 3.7.15-1ubuntu2.1
Ubuntu 9.04
lftp - 3.7.8-1ubuntu0.1
Ubuntu 8.04 LTS
lftp - 3.6.1-1ubuntu0.1

To update your system, please follow these instructions:

In general, a standard system update will make all the necessary changes.

ATTENTION: This update changes previous behaviour by ignoring the filename supplied by servers in Content-Disposition headers. To re-enable previous behaviour, use the new xfer:auto-rename setting.