It was discovered that LFTP incorrectly filtered filenames suggested by Content-Disposition headers. If a user or automated system were tricked into downloading a file from a malicious site, a remote attacker could create the file with an arbitrary name, such as a dotfile, and possibly run arbitrary code.
The problem can be corrected by updating your system to the following package versions:
7 September 2010
A security issue affects these releases of Ubuntu and its derivatives:
It was discovered that LFTP incorrectly filtered filenames suggested by Content-Disposition headers. If a user or automated system were tricked into downloading a file from a malicious site, a remote attacker could create the file with an arbitrary name, such as a dotfile, and possibly run arbitrary code.
The problem can be corrected by updating your system to the following package versions:
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
ATTENTION: This update changes previous behaviour by ignoring the filename supplied by servers in Content-Disposition headers. To re-enable previous behaviour, use the new xfer:auto-rename setting.
Vulmon