A vulnerability was discovered in aria2, a download client. The "name" attribute of the "file" element of metalink files is not properly sanitised before using it to download files. If a user is tricked into downloading from a specially crafted metalink file, this can be exploited to download files to directories outside of the intended download directory. For the stable distribution , this problem has been fixed in version 0.14.0-1+lenny2. For the unstable distribution , this problem has been fixed in version 1.9.3-1. We recommend that you upgrade your aria2 package.