DSA-2047-1 aria2 -- insufficient input sanitisingID: oval:org.secpod.oval:def:600040 | Date: (C)2011-01-28 (M)2022-10-10 |
Class: PATCH | Family: unix |
A vulnerability was discovered in aria2, a download client. The "name" attribute of the "file" element of metalink files is not properly sanitised before using it to download files. If a user is tricked into downloading from a specially crafted metalink file, this can be exploited to download files to directories outside of the intended download directory. For the stable distribution , this problem has been fixed in version 0.14.0-1+lenny2. For the unstable distribution , this problem has been fixed in version 1.9.3-1. We recommend that you upgrade your aria2 package.