From 74fe0b1fdc8eeb87d944e5d52432268de7d61da2 Mon Sep 17 00:00:00 2001
From: Jiri Skala <jskala@fedoraproject.org>
Date: Jun 11 2010 11:37:57 +0000
Subject: - fixes #602836 - CVE-2010-2251 lftp: multiple HTTP client download

    filename vulnerability
- updated to latest version

---

diff --git a/.cvsignore b/.cvsignore
index 7cfd980..56174c2 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1 +1 @@
-lftp-4.0.5.tar.lzma
+lftp-4.0.8.tar.lzma
diff --git a/lftp-4.0.5-ccc.patch b/lftp-4.0.5-ccc.patch
deleted file mode 100644
index 396d490..0000000
--- a/lftp-4.0.5-ccc.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -up lftp-4.0.5/src/ftpclass.cc.ccc lftp-4.0.5/src/ftpclass.cc
---- lftp-4.0.5/src/ftpclass.cc.ccc	2010-03-04 14:15:05.633239152 +0100
-+++ lftp-4.0.5/src/ftpclass.cc	2010-03-04 14:15:56.237488489 +0100
-@@ -4136,6 +4136,7 @@ void Ftp::CheckResp(int act)
-    case Expect::CCC:
-       if(is2XX(act))
-       {
-+	 conn->control_send->PutEOF();
- 	 state=WAITING_CCC_SHUTDOWN;
- 	 conn->waiting_ssl_timer.Reset();
-       }
diff --git a/lftp.spec b/lftp.spec
index 00cb052..d01d522 100644
--- a/lftp.spec
+++ b/lftp.spec
@@ -1,7 +1,7 @@
 Summary:	A sophisticated file transfer program
 Name:		lftp
-Version:	4.0.5
-Release:	3%{?dist}
+Version:	4.0.8
+Release:	1%{?dist}
 License:	GPLv3+
 Group:		Applications/Internet
 Source0:	ftp://ftp.yar.ru/lftp/lftp-%{version}.tar.lzma
@@ -9,8 +9,7 @@ URL:		http://lftp.yar.ru/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:	ncurses-devel, gnutls-devel, pkgconfig, readline-devel, gettext
 
-Patch1: lftp-4.0.5-ccc.patch
-Patch2: lftp-4.0.5-manconf.patch
+Patch1: lftp-4.0.5-manconf.patch
 
 %description
 LFTP is a sophisticated ftp/http file transfer program. Like bash, it has job
@@ -30,8 +29,7 @@ Utility scripts for use with lftp.
 %prep
 %setup -q
 
-%patch1 -p1 -b .ccc
-%patch2 -p1 -b .manconf
+%patch1 -p1 -b .manconf
 
 #sed -i.rpath -e '/lftp_cv_openssl/s|-R.*lib||' configure
 sed -i.norpath -e \
@@ -94,6 +92,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri Jun 11 2010 Jiri Skala <jskala@redhat.com> - 4.0.8-1
+- fixes #602836 - CVE-2010-2251 lftp: multiple HTTP client download filename vulnerability
+- updated to latest version
+
 * Wed Apr 01 2010 Jiri Skala <jskala@redhat.com> - 4.0.5-3
 - fixes #525662 - Missing man-pages
 
diff --git a/sources b/sources
index df94c5f..85e4f6f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-07803bc69f5f78538e2534a484af174f  lftp-4.0.5.tar.lzma
+a8900b3481b1f8e2be7f01e6acfedbae  lftp-4.0.8.tar.lzma