On Tue, Dec 09, 2014 at 06:46:32PM +0100, Vitezslav Cizek wrote: > Hi, > I've noticed lftp is using code borrowed from curl. > That makes lftp affected by CVE-2014-0139: > http://curl.haxx.se/docs/adv_20140326B.html > > It's not the most critical vulnerability, but anyway, > I'll suggest to update to code from latest curl for the next release.
Thanks for report! I've included hostmatch function from the latest curl. The fixed version is in github now and a snapshot is here: http://lftp.yar.ru/ftp/devel/lftp-4.6.1.20150210.tar.gz -- Alexander. _______________________________________________ lftp mailing list lftp@uniyar.ac.ru http://univ.uniyar.ac.ru/mailman/listinfo/lftp