Control: found -1 4.7.4-1
Hi Noel,
On Wed, Aug 01, 2018 at 05:46:55AM +0200, Salvatore Bonaccorso wrote:
> Source: lftp
> Version: 4.8.3-1
> Severity: grave
> Tags: patch security upstream
> Forwarded: https://github.com/lavv17/lftp/issues/452
>
> Hi,
>
> The following vulnerability was published for lftp, were in cse revers
> mirror option is used can lead on data loss on source.
>
> CVE-2018-10916[0]:
> Exploit in reverse mirror job deletes cwd on source
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-10916
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10916
> [1] https://github.com/lavv17/lftp/issues/452
> [2]
> https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992
>
> Please adjust the affected versions in the BTS as needed.
We marked it as no-dsa for stretch, but a fix would still be great as
well for stable. Could you prepare an update for next point release
for stretch?
Regards,
Salvatore