Secunia Research reported [1] a flaw in aria2. From their advisory: Secunia Research has discovered a vulnerability in aria2, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application not properly sanitising the "name" attribute of the "file" element of metalink files before using it to download files. If a user is tricked into downloading from a specially crafted metalink file, this can be exploited to download files to directories outside of the intended download directory via directory traversal attacks. Version 1.9.3 is indicated as being fixed, via changeset 2097 [2]. This issue has been given the name CVE-2010-1512. [1] http://secunia.com/secunia_research/2010-71/ [2] http://sourceforge.net/apps/trac/aria2/changeset/2097
Created aria2 tracking bugs for this issue Affects: fedora-all [bug 592014]
aria2-1.9.3-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/aria2-1.9.3-1.fc13
aria2-1.9.3-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/aria2-1.9.3-1.fc12
aria2-1.9.3-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/aria2-1.9.3-1.fc11
aria2-1.9.3-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
aria2-1.9.3-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
aria2-1.9.3-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.