Metalink News : 07 Jun 2010
5 views
Skip to first unread message
Ant Bryan
Jun 7, 2010, 3:46:53 AM6/7/10
to Metalink Announcements
RFC 5854 : The Metalink Download Description Format
Internet Draft: FTP Extensions for Cryptographic Hashes
"An introduction to Metalink/HTTP"
***Multiple vulnerabilities in Metalink clients***
Updated: Appupdater, aria2, DTA, KGet, MirrorBrain
...
RFC 5854 : The Metalink Download Description Format
We proudly announce RFC 5854: The Metalink Download Description Format
as a Proposed Standard from the IETF! It took over two years of work,
but it's finally here.
http://tools.ietf.org/html/rfc5854
There are differences between Metalink described in the RFC and
Metalink 3.0 which make them incompatible. If you are an application
author, please think about supporting the RFC version. Changes to your
software will likely be minimal.
Details on the differences and what software currently supports it:
http://groups.google.com/group/metalink-discussion/web/internetdraft
...
Internet Draft: FTP Extensions for Cryptographic Hashes
A new Internet Draft describing a new FTP command for requesting the
cryptographic hash of a file is available.
This is a very early version, and we're still looking for review and
public comments.
http://tools.ietf.org/html/draft-bryan-ftp-hash
with interim revisions at
http://metalinks.svn.sourceforge.net/viewvc/metalinks/internetdraft/
...
"An introduction to Metalink/HTTP"
This post talks about Metalink/HTTP, which is still in progress. RFC
5843: Additional Hash Algorithms for HTTP Instance Digests can be used
by Metalink/HTTP.
http://hueniverse.com/2010/05/metalinkhttp/
http://tools.ietf.org/html/draft-bryan-metalinkhttp
http://tools.ietf.org/html/rfc5843
...
***Multiple vulnerabilities in Metalink clients***
At least 4 Metalink clients shared the same vulnerability. If you are
an author of a Metalink client, please check to make sure your
application is not affected.
The vulnerability is caused due to the application not properly
sanitising the "name" attribute of the "file" element of metalink
files before using it to download files. If a user is tricked into
downloading from a specially crafted metalink file, this can be
exploited to download files to directories outside of the intended
download directory via directory traversal attacks.
aria2 metalink "name" Directory Traversal Vulnerability
http://secunia.com/advisories/39529
Free Download Manager metalink "name" Directory Traversal
http://secunia.com/secunia_research/2010-67/
KDE KGet Insecure File Operation and Directory Traversal
http://secunia.com/advisories/39528/
Orbit Downloader metalink "name" Directory Traversal Vulnerability
http://secunia.com/advisories/39527/
...
Updated: Appupdater, aria2, DTA, KGet, MirrorBrain
Some Metalink related software has been updated.
http://www.nabber.org/projects/appupdater/
http://aria2.sourceforge.net/
http://www.downthemall.net/
http://www.kde.org/
http://www.mirrorbrain.org/
Internet Draft: FTP Extensions for Cryptographic Hashes
"An introduction to Metalink/HTTP"
***Multiple vulnerabilities in Metalink clients***
Updated: Appupdater, aria2, DTA, KGet, MirrorBrain
...
RFC 5854 : The Metalink Download Description Format
We proudly announce RFC 5854: The Metalink Download Description Format
as a Proposed Standard from the IETF! It took over two years of work,
but it's finally here.
http://tools.ietf.org/html/rfc5854
There are differences between Metalink described in the RFC and
Metalink 3.0 which make them incompatible. If you are an application
author, please think about supporting the RFC version. Changes to your
software will likely be minimal.
Details on the differences and what software currently supports it:
http://groups.google.com/group/metalink-discussion/web/internetdraft
...
Internet Draft: FTP Extensions for Cryptographic Hashes
A new Internet Draft describing a new FTP command for requesting the
cryptographic hash of a file is available.
This is a very early version, and we're still looking for review and
public comments.
http://tools.ietf.org/html/draft-bryan-ftp-hash
with interim revisions at
http://metalinks.svn.sourceforge.net/viewvc/metalinks/internetdraft/
...
"An introduction to Metalink/HTTP"
This post talks about Metalink/HTTP, which is still in progress. RFC
5843: Additional Hash Algorithms for HTTP Instance Digests can be used
by Metalink/HTTP.
http://hueniverse.com/2010/05/metalinkhttp/
http://tools.ietf.org/html/draft-bryan-metalinkhttp
http://tools.ietf.org/html/rfc5843
...
***Multiple vulnerabilities in Metalink clients***
At least 4 Metalink clients shared the same vulnerability. If you are
an author of a Metalink client, please check to make sure your
application is not affected.
The vulnerability is caused due to the application not properly
sanitising the "name" attribute of the "file" element of metalink
files before using it to download files. If a user is tricked into
downloading from a specially crafted metalink file, this can be
exploited to download files to directories outside of the intended
download directory via directory traversal attacks.
aria2 metalink "name" Directory Traversal Vulnerability
http://secunia.com/advisories/39529
Free Download Manager metalink "name" Directory Traversal
http://secunia.com/secunia_research/2010-67/
KDE KGet Insecure File Operation and Directory Traversal
http://secunia.com/advisories/39528/
Orbit Downloader metalink "name" Directory Traversal Vulnerability
http://secunia.com/advisories/39527/
...
Updated: Appupdater, aria2, DTA, KGet, MirrorBrain
Some Metalink related software has been updated.
http://www.nabber.org/projects/appupdater/
http://aria2.sourceforge.net/
http://www.downthemall.net/
http://www.kde.org/
http://www.mirrorbrain.org/
Reply all
Reply to author
Forward
0 new messages