LinuxSecurity.com: It was discovered that LFTP incorrectly filtered filenames suggestedby Content-Disposition headers. If a user or automated system were trickedinto downloading a file from a malicious site, a remote attacker couldcreate the file with an arbitrary name, such as a dotfile, and possibly runarbitrary code. [More...]

More...