A vulnerability was discovered in aria2, a download client. The “name”
attribute of the “file” element of metalink files is not properly
sanitised before using it to download files. If a user is tricked into
downloading from a specially crafted metalink file, this can be
exploited to download files to directories outside of the intended
download directory.
For the stable distribution (lenny), this problem has been fixed in
version 0.14.0-1+lenny2.
For the unstable distribution (sid), this problem has been fixed in
version 1.9.3-1.
We recommend that you upgrade your aria2 package.
CPE | Name | Operator | Version |
---|---|---|---|
aria2 | eq | 0.14.0-1 | |
aria2 | eq | 0.14.0-1+lenny1 |