ArchLinux: 201411-1: tnftp: arbitrary command execution
Summary
A malicious webserver can trick tnftp below 20141031 via HTTP redirects into executing arbitrary commands.
Resolution
Upgrade to 20141031-1.
# pacman -Syu "tnftp>=20141031-1"
The problem has been fixed upstream in version 20141031.
References
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8517 https://bugzilla.redhat.com/show_bug.cgi?id=1158286 https://bugs.archlinux.org/task/42646 https://seclists.org/oss-sec/2014/q4/459
Workaround
Specifying the output filename with -o when using tnftp with HTTP will prevent from arbitrary command execution.