Scientific Linux Security Update : lftp for SL 5

This script is Copyright (C) 2012 Tenable Network Security, Inc.

Synopsis :

The remote Scientific Linux host is missing a security update.

Description :

LFTP is a sophisticated file transfer program for the FTP and HTTP
protocols. Like Bash, it has job control and uses the Readline library
for input. It has bookmarks, built-in mirroring, and can transfer
several files in parallel. It is designed with reliability in mind.

It was discovered that lftp trusted the file name provided in the
Content-Disposition HTTP header. A malicious HTTP server could use
this flaw to write or overwrite files in the current working directory
of a victim running lftp, by sending a different file from what the
victim requested. (CVE-2010-2251)

To correct this flaw, the following changes were made to lftp: the
'xfer:clobber' option now defaults to 'no', causing lftp to not
overwrite existing files, and a new option, 'xfer:auto-rename', which
defaults to 'no', has been introduced to control whether lftp should
use server-suggested file names. Refer to the 'Settings' section of
the lftp(1) manual page for additional details on changing lftp

All lftp users should upgrade to this updated package, which contains
a backported patch to correct this issue.

See also :

Solution :

Update the affected lftp package.

Risk factor :

High / CVSS Base Score : 7.5

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 60827 ()

Bugtraq ID:

CVE ID: CVE-2010-2251