[VIM] Slackware security a tad behind..
security curmudgeon
jericho at attrition.org
Mon May 16 17:57:34 EDT 2005
In the past I've noted vendors who are slow to patch. Slackware may win
the record with a two and a half year delay..
http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.349681
Date: Sun, 15 May 2005 23:54:44 -0700 (PDT)
fixes a vuln in NcFTP and references:
http://www.ncftp.com/ncftp/doc/changelog.html#3.1.5
That changelog entry:
3.1.5, 2002-10-13 <---
Security: Problem fixed where a malicious or trojaned FTP server could send
back pathnames with directories different from the directory requested. For
example, if you did:
cd /pub
get *.zip
the malicious server could send back a pathname like
../../../some/other/dir/filename.here rather than pathnames such as
filename.zip, and trick NcFTP into writing into a different local pathname if
your user privileges had permission to write it.
This problem affects many other FTP client programs. We were asked not to post
this item in the change log until these other programs could be fixed. That is
why this item in the change log was added two months after the initial posting
of version 3.1.5.
More information about the VIM
mailing list