Upstream has released version 4.6.2 today (April 16): http://lftp.yar.ru/news.html It fixes an issue with hostname verification when validating TLS/SSL certificates, which was previously fixed in curl in Bug 12476. lftp uses a local copy of the same code from curl, which is why it has the same CVE. The upstream fix was in this commit: https://github.com/lavv17/lftp/commit/6357bed2583171b7515af6bb6585cf56d2117e3f Mageia 4 and Mageia 5 are affected. Upstream patch added in Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated lftp packages fix security vulnerability: lftp incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site (CVE-2014-0139). lftp was affected by this issue as it uses code from cURL for checking SSL certificates. The curl package was fixed in MGASA-2014-0153. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139 http://advisories.mageia.org/MGASA-2014-0153.html http://lftp.yar.ru/news.html ======================== Updated packages in core/updates_testing: ======================== lftp-4.4.14-1.1.mga4 liblftp0-4.4.14-1.1.mga4 liblftp-devel-4.4.14-1.1.mga4 from lftp-4.4.14-1.1.mga4.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/592586/Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
You can do a simple check of https functionality with: lftp https://fedorahosted.org/released/abrt/ and then run "ls" at the lftp prompt (as in Bug 4176). Works fine for me on Mageia 4 i586.
Whiteboard: (none) => has_procedure MGA4-32-OK
Testing as in comment #2: ls works but get fails. I don't know if it's expected. lftp fedorahosted.org:/released/abrt> get satyr-0.16.tar.xz get: /mnt/other/boot/satyr-0.16.tar.xz: Permission non accordée I connected to a ftp server of mine that activates SSL and everything worked fine.
CC: (none) => stormi
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
get satyr-0.16.tar.xz worked for me. Maybe try again?
It works now, probably a transient server issue.
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0165.html
Status: NEW => RESOLVEDResolution: (none) => FIXED