lftp 4.8.4 has been released today (August 1) fixing a security issue: http://lftp.yar.ru/news.html No CVE was given, it just says: "ixed a security vulnerability with "file:" file names."
Assigning to the registered maintainer.
Assignee: bugsquad => lists.jjorgeCC: (none) => marja11
I have pushed version 4.8.4 to MGA6 updates, as it is the only upstream maintained version and there is no change that could break a script. Advisory : Lftp 4.8.4 bring a security fix for "file:" file names. From version 4.7.7 which was previous MGA6 lftp version, it brings also several new parameters like the -P option for parallel transfers. ref: http://lftp.yar.ru/news.html RPMS : lftp-4.8.4-1.mga6.x86_64.rpm lib64lftp0-4.8.4-1.mga6.x86_64.rpm lib64lftp-devel-4.8.4-1.mga6.x86_64.rpm lftp-scripts-4.8.4-1.mga6.noarch.rpm
Assignee: lists.jjorge => qa-bugsCC: (none) => lists.jjorgeStatus: NEW => ASSIGNED
Ubuntu has issued an advisory today (August 6): https://usn.ubuntu.com/3731-1/ It may be for this issue, but the CVE it lists appears to be incorrect as it says it's for graphviz. Anyway, they did backport the fix to older versions.
$ uname -a Linux localhost 4.14.56-desktop586-1.mga6 #1 SMP Mon Jul 16 19:35:53 UTC 2018 i686 i686 i686 GNU/Linux Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 6 packages are going to be installed: - lftp-4.8.4-1.mga6.i586 - lftp-scripts-4.8.4-1.mga6.noarch - liblftp0-4.8.4-1.mga6.i586 - meta-task-6-3.2.mga6.noarch - perl-DBI-1.636.0-2.mga6.i586 - perl-String-CRC32-1.500.0-9.mga6.i586 2MB of additional disk space will be used. 1.5MB of packages will be retrieved. Is it ok to continue? ----------- $ lftp 192.168.1.20 user xxxxx Then I issued the reget command: reget time_xxxx.avi System is functioning as designed from what I can tell.
Whiteboard: (none) => MGA6-32-OKCC: (none) => brtians1
Installed and tested without issue. For testing I used various sites referenced in: https://www.ftpclientserversites.com/best-anonymous-ftp-sites-list/ Tests included: - Connect to several sites using lftp ftp://... - Used various commands while connected (e.g ls, get, mget, cd, help, close, exit) - Get several files using lftpget ftp://... $ uname -a Linux marte 4.14.56-desktop-1.mga6 #1 SMP Mon Jul 16 19:36:06 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep lftp | sort lftp-4.8.4-1.mga6 lftp-scripts-4.8.4-1.mga6 lib64lftp0-4.8.4-1.mga6
CC: (none) => mageiaWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Thanks for the tests guys. Reckon this can be validated.
Keywords: (none) => validated_updateCC: (none) => tarazed25, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0334.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
(In reply to David Walser from comment #3) > Ubuntu has issued an advisory today (August 6): > https://usn.ubuntu.com/3731-1/ > > It may be for this issue, but the CVE it lists appears to be incorrect as it > says it's for graphviz. Anyway, they did backport the fix to older versions. They must have fixed it; it correctly shows that it's for lftp now. SUSE also issued an advisory for this issue with the same CVE: http://lists.suse.com/pipermail/sle-security-updates/2019-March/005205.html
Summary: lftp new security issue fixed upstream in 4.8.4 => lftp new security issue fixed upstream in 4.8.4 (CVE-2018-10916)