Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2010-0585

Опубликовано: 02 авг. 2010
Источник: oracle-oval
Платформа: Oracle Linux 5

Описание

ELSA-2010-0585: lftp security update (MODERATE)

[3.7.11-4.el5_5.3]

  • Related: CVE-2010-2251 - document change of xfer:clobber default value in manpage, respect xfer:clobber on with xfer:auto-rename on (old behaviour)

[3.7.11-4.el5_5.2]

  • Related: CVE-2010-2251 - describe new option xfer:auto-rename which could restore old behaviour in manpage

[3.7.11-4.el5_5.1]

  • Resolves: CVE-2010-2251 - multiple HTTP client download filename vulnerability (#617870)

Обновленные пакеты

Oracle Linux 5

Oracle Linux ia64

lftp

3.7.11-4.el5_5.3

Oracle Linux x86_64

lftp

3.7.11-4.el5_5.3

Oracle Linux i386

lftp

3.7.11-4.el5_5.3

Связанные CVE

CVE-2010-2251

Ссылки на источники

Связанные уязвимости

ubuntu логотип

CVE-2010-2251

ubuntu
почти 15 лет назад

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

redhat логотип

CVE-2010-2251

redhat
около 15 лет назад

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

nvd логотип

CVE-2010-2251

nvd
почти 15 лет назад

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

debian логотип

CVE-2010-2251

debian
почти 15 лет назад

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not pr ...

github логотип

GHSA-96vc-4h75-gh5j

github
около 3 лет назад

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.