1. Ubuntu Security Notices
  2. USN-984-1

USN-984-1: LFTP vulnerability

Publication date

7 September 2010

Overview

Releases

Packages

Details

It was discovered that LFTP incorrectly filtered filenames suggested
by Content-Disposition headers. If a user or automated system were tricked
into downloading a file from a malicious site, a remote attacker could
create the file with an arbitrary name, such as a dotfile, and possibly run
arbitrary code.

It was discovered that LFTP incorrectly filtered filenames suggested
by Content-Disposition headers. If a user or automated system were tricked
into downloading a file from a malicious site, a remote attacker could
create the file with an arbitrary name, such as a dotfile, and possibly run
arbitrary code.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

ATTENTION: This update changes previous behaviour by ignoring the filename supplied by servers in Content-Disposition headers. To re-enable previous behaviour, use the new xfer:auto-rename setting.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
9.10 karmic lftp –  3.7.15-1ubuntu2.1
9.04 jaunty lftp –  3.7.8-1ubuntu0.1
8.04 hardy lftp –  3.6.1-1ubuntu0.1
10.04 lucid lftp –  4.0.2-1ubuntu0.1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›