SynopsisThe remote Red Hat host is missing a security update.
DescriptionUpdated lftp packages are now available that fix a buffer overflow security vulnerability.
lftp is a command-line file transfer program supporting FTP and HTTP protocols.
Ulf Harnhammar discovered a buffer overflow bug in versions of lftp up to and including 2.6.9. An attacker could create a carefully crafted directory on a website such that, if a user connects to that directory using the lftp client and subsequently issues a 'ls' or 'rels' command, the attacker could execute arbitrary code on the users machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0963 to this issue.
Users of lftp are advised to upgrade to these erratum packages, which contain a backported security patch and are not vulnerable to this issue.
Red Hat would like to thank Ulf Harnhammar for discovering and alerting us to this issue.
SolutionUpdate the affected lftp package.