FS#42646 : [tnftp] CVE-2014-8517: arbitrary command execution by malicious server

FS#42646 - [tnftp] CVE-2014-8517: arbitrary command execution by malicious server

Attached to Project: Community Packages
Opened by Levente Polyak (anthraxx) - Saturday, 01 November 2014, 11:51 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 01 November 2014, 13:38 GMT

Task Type	Bug Report
Category	Upstream Bugs
Status	Closed
Assigned To	No-one
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Levente Polyak (anthraxx) (2014-11-01)
Private	No

Details

Summary:
It has been reported [0] that tnftp 20130505-2 has a bug which may results in arbitrary command execution.
This issue is tracked as CVE-2014-8517 [1].

Description:
A malicious webserver can trick tnftp below 20141031 via HTTP redirects into executing arbitrary commands on the client side.

Mitigation:
The problem has been fixed upstream in version >= 20141031, an update is highly recommended.

[0] http://seclists.org/oss-sec/2014/q4/459
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1158286

This task depends upon

Closed by Doug Newgard (Scimmia)
Saturday, 01 November 2014, 13:38 GMT
Reason for closing: Fixed
Additional comments about closing: 20141031 is already in Community.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#42646 - [tnftp] CVE-2014-8517: arbitrary command execution by malicious server

Details

Loading...