[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] [oCERT-2010-001] multiple http client unexpected
From:       Vincent Danen <vdanen () redhat ! com>
Date:       2010-06-10 20:40:58
Message-ID: 20100610204058.GP4828 () redhat ! com
[Download RAW message or body]

* [2010-05-20 08:27:56 +0400] Solar Designer wrote:

> On Wed, May 19, 2010 at 03:28:18PM +0200, Ludwig Nussel wrote:
> > Serving dot files is a neat trick indeed, I've overlooked that
> > paragraph in the ocert advisory. Nevertheless I'm not convinced it's
> > worth changing wget's default behavior in the proposed way. So I can
> > understand upstream here.
> 
> As far as I'm aware, at the time of the initial oCERT notification, the
> wget upstream was represented by Micah Cowan, who was about to resign.
> And he did:
> 
> http://lists.gnu.org/archive/html/bug-wget/2010-04/msg00027.html
> 
> oCERT has re-notified the new upstream shortly before publishing the
> advisory (we decided this was not enough of a reason to introduce a
> further pre-public-disclosure delay).  I don't think the new wget
> upstream has made a determination on this issue yet; at least I'm not
> aware of that.
> 
> ...
> 
> For those producing back-ports for lftp, the approach to take is to
> download 4.0.5 and 4.0.6 from:
> 
> http://ftp.yars.free.net/pub/source/lftp/old/
> 
> Then diff them with:
> 
> diff -purx configure -x po -x 'Makefile*' -x '*.in' -x '*.in.h' -x m4 -x lib -x \
> build-aux -x '*.m4' lftp-4.0.5 lftp-4.0.6

Just to follow up on this, I did some work on this today and a patch is
attached to our bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=591580

Also looking at it, this support was introduced in 3.4.7, so anyone
shipping a version of lftp prior to that shouldn't have to worry about
it.

-- 
Vincent Danen / Red Hat Security Response Team 


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic