| Summary: | lftp new security issue fixed upstream in 4.8.4 (CVE-2018-10916) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, lists.jjorge, mageia, marja11, sysadmin-bugs, tarazed25, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | lftp-4.7.7-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-08-01 14:17:37 CEST
Assigning to the registered maintainer. Assignee:
bugsquad =>
lists.jjorge I have pushed version 4.8.4 to MGA6 updates, as it is the only upstream maintained version and there is no change that could break a script. Advisory : Lftp 4.8.4 bring a security fix for "file:" file names. From version 4.7.7 which was previous MGA6 lftp version, it brings also several new parameters like the -P option for parallel transfers. ref: http://lftp.yar.ru/news.html RPMS : lftp-4.8.4-1.mga6.x86_64.rpm lib64lftp0-4.8.4-1.mga6.x86_64.rpm lib64lftp-devel-4.8.4-1.mga6.x86_64.rpm lftp-scripts-4.8.4-1.mga6.noarch.rpm Assignee:
lists.jjorge =>
qa-bugs Ubuntu has issued an advisory today (August 6): https://usn.ubuntu.com/3731-1/ It may be for this issue, but the CVE it lists appears to be incorrect as it says it's for graphviz. Anyway, they did backport the fix to older versions. $ uname -a Linux localhost 4.14.56-desktop586-1.mga6 #1 SMP Mon Jul 16 19:35:53 UTC 2018 i686 i686 i686 GNU/Linux Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 6 packages are going to be installed: - lftp-4.8.4-1.mga6.i586 - lftp-scripts-4.8.4-1.mga6.noarch - liblftp0-4.8.4-1.mga6.i586 - meta-task-6-3.2.mga6.noarch - perl-DBI-1.636.0-2.mga6.i586 - perl-String-CRC32-1.500.0-9.mga6.i586 2MB of additional disk space will be used. 1.5MB of packages will be retrieved. Is it ok to continue? ----------- $ lftp 192.168.1.20 user xxxxx Then I issued the reget command: reget time_xxxx.avi System is functioning as designed from what I can tell. Whiteboard:
(none) =>
MGA6-32-OK Installed and tested without issue. For testing I used various sites referenced in: https://www.ftpclientserversites.com/best-anonymous-ftp-sites-list/ Tests included: - Connect to several sites using lftp ftp://... - Used various commands while connected (e.g ls, get, mget, cd, help, close, exit) - Get several files using lftpget ftp://... $ uname -a Linux marte 4.14.56-desktop-1.mga6 #1 SMP Mon Jul 16 19:36:06 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep lftp | sort lftp-4.8.4-1.mga6 lftp-scripts-4.8.4-1.mga6 lib64lftp0-4.8.4-1.mga6 CC:
(none) =>
mageia Thanks for the tests guys. Reckon this can be validated. Keywords:
(none) =>
validated_update
Thomas Backlund
2018-08-10 15:57:00 CEST
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0334.html Resolution:
(none) =>
FIXED (In reply to David Walser from comment #3) > Ubuntu has issued an advisory today (August 6): > https://usn.ubuntu.com/3731-1/ > > It may be for this issue, but the CVE it lists appears to be incorrect as it > says it's for graphviz. Anyway, they did backport the fix to older versions. They must have fixed it; it correctly shows that it's for lftp now. SUSE also issued an advisory for this issue with the same CVE: http://lists.suse.com/pipermail/sle-security-updates/2019-March/005205.html Summary:
lftp new security issue fixed upstream in 4.8.4 =>
lftp new security issue fixed upstream in 4.8.4 (CVE-2018-10916) |