[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] [oCERT-2010-001] multiple http client unexpected
From: Vincent Danen <vdanen () redhat ! com>
Date: 2010-06-10 20:40:58
Message-ID: 20100610204058.GP4828 () redhat ! com
[Download RAW message or body]
* [2010-05-20 08:27:56 +0400] Solar Designer wrote:
> On Wed, May 19, 2010 at 03:28:18PM +0200, Ludwig Nussel wrote:
> > Serving dot files is a neat trick indeed, I've overlooked that
> > paragraph in the ocert advisory. Nevertheless I'm not convinced it's
> > worth changing wget's default behavior in the proposed way. So I can
> > understand upstream here.
>
> As far as I'm aware, at the time of the initial oCERT notification, the
> wget upstream was represented by Micah Cowan, who was about to resign.
> And he did:
>
> http://lists.gnu.org/archive/html/bug-wget/2010-04/msg00027.html
>
> oCERT has re-notified the new upstream shortly before publishing the
> advisory (we decided this was not enough of a reason to introduce a
> further pre-public-disclosure delay). I don't think the new wget
> upstream has made a determination on this issue yet; at least I'm not
> aware of that.
>
> ...
>
> For those producing back-ports for lftp, the approach to take is to
> download 4.0.5 and 4.0.6 from:
>
> http://ftp.yars.free.net/pub/source/lftp/old/
>
> Then diff them with:
>
> diff -purx configure -x po -x 'Makefile*' -x '*.in' -x '*.in.h' -x m4 -x lib -x \
> build-aux -x '*.m4' lftp-4.0.5 lftp-4.0.6
Just to follow up on this, I did some work on this today and a patch is
attached to our bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=591580
Also looking at it, this support was introduced in 3.4.7, so anyone
shipping a version of lftp prior to that shouldn't have to worry about
it.
--
Vincent Danen / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic