Debian Security Advisory
mirror -- Incorrect directory name handling in mirror
- Date Reported:
- 18 Oct 1999
- Affected Packages:
-
mirror
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-0354.
- More information:
-
We have received reports that the version of mirror as distributed in Debian
GNU/Linux 2.1 could be remotely exploited. When mirroring a remote site, its
malicious owner could use filename-constructions like ".." that
would cause mirror to work one level above the target directory for the
mirrored files and thus unknowingly overwrite local data.
- Fixed in:
-
- Source:
- http://security.debian.org/dists/slink/updates/source/mirror_2.9-2.1.diff.gz
- http://security.debian.org/dists/slink/updates/source/mirror_2.9-2.1.dsc
- http://security.debian.org/dists/slink/updates/source/mirror_2.9.orig.tar.gz
- Architecture-independent component:
- http://security.debian.org/dists/stable/updates/binary-all/mirror_2.9-2.1_all.deb
