Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Jun 2010 14:40:58 -0600
From: Vincent Danen <>
Subject: Re: [oCERT-2010-001] multiple http client unexpected
 download filename vulnerability

* [2010-05-20 08:27:56 +0400] Solar Designer wrote:

>On Wed, May 19, 2010 at 03:28:18PM +0200, Ludwig Nussel wrote:
>> Serving dot files is a neat trick indeed, I've overlooked that
>> paragraph in the ocert advisory. Nevertheless I'm not convinced it's
>> worth changing wget's default behavior in the proposed way. So I can
>> understand upstream here.
>As far as I'm aware, at the time of the initial oCERT notification, the
>wget upstream was represented by Micah Cowan, who was about to resign.
>And he did:
>oCERT has re-notified the new upstream shortly before publishing the
>advisory (we decided this was not enough of a reason to introduce a
>further pre-public-disclosure delay).  I don't think the new wget
>upstream has made a determination on this issue yet; at least I'm not
>aware of that.
>For those producing back-ports for lftp, the approach to take is to
>download 4.0.5 and 4.0.6 from:
>Then diff them with:
>diff -purx configure -x po -x 'Makefile*' -x '*.in' -x '*.in.h' -x m4 -x lib -x build-aux -x '*.m4' lftp-4.0.5 lftp-4.0.6

Just to follow up on this, I did some work on this today and a patch is
attached to our bugzilla:

Also looking at it, this support was introduced in 3.4.7, so anyone
shipping a version of lftp prior to that shouldn't have to worry about

Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ