Ubuntu.com/usn: Referenced CVEs:
CVE-2010-2251


Description:
===========================================================Ubuntu Security Notice USN-984-1 September 07, 2010lftp vulnerabilityCVE-2010-2251===========================================================A security issue affects the following Ubuntu releases:Ubuntu 8.04 LTSUbuntu 9.04Ubuntu 9.10Ubuntu 10.04 LTSThis advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 8.04 LTS: lftp 3.6.1-1ubuntu0.1Ubuntu 9.04: lftp 3.7.8-1ubuntu0.1Ubuntu 9.10: lftp 3.7.15-1ubuntu2.1Ubuntu 10.04 LTS: lftp 4.0.2-1ubuntu0.1In general, a standard system update will make all the necessary changes.ATTENTION: This update changes previous behaviour by ignoring the filenamesupplied by servers in Content-Disposition headers. To re-enable previousbehaviour, use the new xfer:auto-rename setting.Details follow:It was discovered that LFTP incorrectly filtered filenames suggestedby Content-Disposition headers. If a user or automated system were trickedinto downloading a file from a malicious site, a remote attacker couldcreate the file with an arbitrary name, such as a dotfile, and possibly runarbitrary code.





More...