Debian Lftp vulnerabilities

CVE-2018-10916 [MEDIUM] CVE-2018-10916: lftp - It has been discovered that lftp up to and including version 4.8.3 does not prop... It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of t

CVE-2010-2251 [HIGH] CVE-2010-2251: lftp - The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly val... The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to

CVE-2007-2348 [MEDIUM] CVE-2007-2348: lftp - mirror --script in lftp before 3.5.9 does not properly quote shell metacharacter... mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files. Scope: local bookworm:

CVE-2003-0963 [HIGH] CVE-2003-0963: lftp - Buffer overflows in (1) try_netscape_proxy and (2) try_squid_eplf for lftp 2.6.9... Buffer overflows in (1) try_netscape_proxy and (2) try_squid_eplf for lftp 2.6.9 and earlier allow remote HTTP servers to execute arbitrary code via long directory names that are processed by the ls or rels commands. Scope: local bookworm: resolved (fixed in 2.6.10-1) bullseye: resolved (fixed in 2.6.10-1) forky: resolved (fixed in 2.6.10-1) sid: resolved (fixed in 2.6.1