Your message dated Thu, 02 Aug 2018 04:49:22 +0000
with message-id <e1fl5ya-0005xd...@fasolo.debian.org>
and subject line Bug#905163: fixed in lftp 4.8.4-1
has caused the Debian Bug report #905163,
regarding lftp: CVE-2018-10916: Exploit in reverse mirror job deletes cwd on
source
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
905163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: lftp
Version: 4.8.3-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/lavv17/lftp/issues/452
Hi,
The following vulnerability was published for lftp, were in cse revers
mirror option is used can lead on data loss on source.
CVE-2018-10916[0]:
Exploit in reverse mirror job deletes cwd on source
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10916
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10916
[1] https://github.com/lavv17/lftp/issues/452
[2]
https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lftp
Source-Version: 4.8.4-1
We believe that the bug you reported is fixed in the latest version of
lftp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 905...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noël Köthe <n...@debian.org> (supplier of updated lftp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 02 Aug 2018 05:47:42 +0200
Source: lftp
Binary: lftp
Architecture: source amd64
Version: 4.8.4-1
Distribution: unstable
Urgency: high
Maintainer: Noël Köthe <n...@debian.org>
Changed-By: Noël Köthe <n...@debian.org>
Description:
lftp - Sophisticated command-line FTP/HTTP/BitTorrent client programs
Closes: 905163
Changes:
lftp (4.8.4-1) unstable; urgency=high
.
* New upstream version 4.8.4 fixes CVE-2018-10916 closes: Bug#905163
* updated Standards-Version; no changes needed
* switched to debhelper 11
* fix lintian warning about trailing whitespaces
* updated signing key from Alexander V. Lukyanov <l...@yars.free.net>
Checksums-Sha1:
2da3957370852fe96bc6dd87ed135351e18b7968 1992 lftp_4.8.4-1.dsc
fa97429d4376c87dd0b6a9b27ed89184fb2a9149 1633444 lftp_4.8.4.orig.tar.xz
bf814cfba676c0334c3f7d7280fa218806690b12 155 lftp_4.8.4.orig.tar.xz.asc
005127b3897625ec3e815ea5e333b1a558ec1b97 21400 lftp_4.8.4-1.debian.tar.xz
d3549fbb7491c9711d7eb72cc87d8bfed66797c7 3399668 lftp-dbgsym_4.8.4-1_amd64.deb
73aa5f1dd78262e0ffab7fa2609ab78812783411 7000 lftp_4.8.4-1_amd64.buildinfo
d9402d5c85e6c49745a93f1e1cb1d58751d2281d 723952 lftp_4.8.4-1_amd64.deb
Checksums-Sha256:
3d22a0a4856c85f94419250694408dde6613bb9a5da656a6cb340e06e0b6e40e 1992
lftp_4.8.4-1.dsc
4ebc271e9e5cea84a683375a0f7e91086e5dac90c5d51bb3f169f75386107a62 1633444
lftp_4.8.4.orig.tar.xz
851013e7f5768083512e20236748f6c40db3583f922ef99c6cd5cd4eb4d991e5 155
lftp_4.8.4.orig.tar.xz.asc
999238c6d75d66f9cfafdd84b636bbd65870917687caecff4c1ad5161769303f 21400
lftp_4.8.4-1.debian.tar.xz
80a9ad76141c845710efb81fd6c2e322a1e11148aa655e2ad8aec27d7752d2fe 3399668
lftp-dbgsym_4.8.4-1_amd64.deb
36a9d492cf77d57556f32132545d2986e5438125eeec85f35a67d35f741c9821 7000
lftp_4.8.4-1_amd64.buildinfo
e3c275a343bd0c26391022a91eac317979cd2174f3486a6cfbdea28ae1f2b86a 723952
lftp_4.8.4-1_amd64.deb
Files:
a9f58bec5e5aec16e29d3f5a3ed79ab6 1992 net optional lftp_4.8.4-1.dsc
b75c43797e817529d486be640232d708 1633444 net optional lftp_4.8.4.orig.tar.xz
f9118a67f41c6f7e93a13be1c5051b6a 155 net optional lftp_4.8.4.orig.tar.xz.asc
80cd6e23b68f23ea124016b86c0ef00a 21400 net optional lftp_4.8.4-1.debian.tar.xz
54d868364c30aef0668ba299c872a8df 3399668 debug optional
lftp-dbgsym_4.8.4-1_amd64.deb
e6d9f28950d53a02c243f2449c8f42b6 7000 net optional lftp_4.8.4-1_amd64.buildinfo
2d6f2ff576ca92a8b07d83e38da7f783 723952 net optional lftp_4.8.4-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEpF5AXAxsgPE/8VIXaMB4voj4DNoFAltiiG0ACgkQaMB4voj4
DNpVvw/9EaoRMArGxDhMHa9g9XfSJW6xtQmr0s14luKxYzBLD/4UroVgIz4v6+7e
dABvTDliJZF9ZskiQDdzdNjqJqxUj3Svu/9fHltwuxE5GWOja9OdbPBJWHHYNEef
YyRppvsl2TB4jTkm0zGfm1himsAPL2ofN5Mi7P2KhpNst1sbv8oNg9PDFDIxXnje
l71VNMhCHbzy/V8+7HH3dvau0DdINtU5EQ7QApNY/ANqYaS/FyQH+lT8rbv0kRN1
+IXL1YrySqxG+GIu79pmjh3AsktAjM9kPpCRKcN+XA9FGq7THt/PJCM2rywtkPqn
4I+HuxyPEiwqlCvgOyB8yWfIK62LB6WPPQqty1E3uUgxwG+7pm+ETjtPJEuBSrF7
6bXBiQykJ7VYWDDNyASXc0iRBrfJI6IWvAleNd13DW8euscWZTyIMlv5zMRNYZma
C5xuPIBely/DQd2E8+VP92Rv0C4BlYzfjnUHMHpFfyGAZoFUcCvnnRWPF0SZgqto
ZY77/y9E1l+1SwfTKdEPw0NiSc5XDvI+JSowy9UKRBzW68hqlu4H25VtK9YRFg5C
mFSsp/Pxoc+qOJOQfPvL4cd8Qux42gM6JmRIxmz6jZBIljuzLluOJjTwwGks1tbV
OyYwx74coeafsQFLAe04szC1nAVWLaHSvX8bIlC/dyGkcjkv1nI=
=NiAV
-----END PGP SIGNATURE-----
--- End Message ---
