Gentoo Archives: gentoo-announce

From: Tobias Heinlein <keytoaster@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201101-04 ] aria2: Directory traversal
Date: Sat, 15 Jan 2011 23:13:21
Message-Id: 4D3215CF.3030504@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201101-04
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: aria2: Directory traversal
9 Date: January 15, 2011
10 Bugs: #320975
11 ID: 201101-04
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A directory traversal vulnerability has been found in aria2.
19
20 Background
21 ==========
22
23 aria2 is a download utility with resuming and segmented downloading
24 with HTTP/HTTPS/FTP/BitTorrent support.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-misc/aria2 < 1.9.3 >= 1.9.3
33
34 Description
35 ===========
36
37 A directory traversal vulnerability was discovered in aria2.
38
39 Impact
40 ======
41
42 A remote attacker could entice a user to download from a specially
43 crafted metalink file, resulting in the creation of arbitrary files.
44
45 Workaround
46 ==========
47
48 There is no known workaround at this time.
49
50 Resolution
51 ==========
52
53 All aria2 users should upgrade to the latest version:
54
55 # emerge --sync
56 # emerge --ask --oneshot --verbose ">=net-misc/aria2-1.9.3"
57
58 References
59 ==========
60
61 [ 1 ] CVE-2010-1512
62 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1512
63
64 Availability
65 ============
66
67 This GLSA and any updates to it are available for viewing at
68 the Gentoo Security Website:
69
70 http://security.gentoo.org/glsa/glsa-201101-04.xml
71
72 Concerns?
73 =========
74
75 Security is a primary focus of Gentoo Linux and ensuring the
76 confidentiality and security of our users machines is of utmost
77 importance to us. Any security concerns should be addressed to
78 security@g.o or alternatively, you may file a bug at
79 https://bugs.gentoo.org.
80
81 License
82 =======
83
84 Copyright 2011 Gentoo Foundation, Inc; referenced text
85 belongs to its owner(s).
86
87 The contents of this document are licensed under the
88 Creative Commons - Attribution / Share Alike license.
89
90 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature