Debian alert DLA-4513-1 (gvfs)
| From: | Andreas Henriksson <andreas@fatal.se> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4513-1] gvfs security update | |
| Date: | Sat, 28 Mar 2026 15:10:08 +0100 | |
| Message-ID: | <unzoakwxlb3xrnrtowlyk2ts7qcs3nqqrkimkb4ilyyrkvoasu@f2nwskz2zh33> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4513-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Andreas Henriksson March 28, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : gvfs Version : 1.46.2-2+deb11u1 CVE ID : CVE-2026-28295 CVE-2026-28296 Debian Bug : 1129285 1129286 Codean Labs found that gvfs, a virtual filesystem implementation, was affected by multiple vulnerabililies including FTP bounce attack which could lead to probing open ports on client network and improper CRLF validation which could allow an attacker to inject arbitrary FTP commands. CVE-2026-28295 A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network. CVE-2026-28296 A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts. For Debian 11 bullseye, these problems have been fixed in version 1.46.2-2+deb11u1. We recommend that you upgrade your gvfs packages. For the detailed security status of gvfs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gvfs Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmnH4T4ACgkQC8R9xk0T Uwa7rQ//S5Hu8tmtWk4JyT9t6lkTzCIZ1OMIAOEWye7okfuw1kqPR2hDeEsnaRQ9 9fa+zxB3cOWt4tbamtrCb3jIJHQbkjivDvXaOSgEZTfZidD4l+YIb47p813MBJlq jeh4zFnfn2v3HfHLv5v6fq7IYNqHVPn4k5Fhd+xembkHTH7z1Bp2pmCel454qhZc tMz50pPJ0b1sRTWmdZEAmxQCrmPB72CV0PDeyooscXz2MmSte5IWv8YvjAr00p3y 9CEBGvGr8lEu0AIxB9MZX/vLQiBa7B6MgLkzFmNnnzp/C690gf+ffuqJa/LS6AK/ EdRvYCUMVJtA5sNxQBcARcjAfWzLKxFWklOgv8s7rEPvs7FrDMj3sSDrYP9slz3+ gh1UMaiPJ7qFoMOXnJWbI73M7dIojNwZs8aQR2vvasUKlCFmoijEB8yTGdPKZ8fg hfo2Dg0ifQ+mge13QTb0DcRy/dv3WS5YP660IDLnomeJVtnCLKs8DAT9S2NmzKgu YZ9UB9oHQuzVyC1AUQt8xCK974g292Jm2RanbbJeOkY9R4Ori0jWmKVT6R+cWosZ pVK+qddU47DxlYuHDd1CY57r8j+Tm/vyu8ulK/eMEuRP867i3iILE5snqkwxXwgs 8n6ktMWLpTjO5BYc8LVyJyYY+E2YjBLAKrWk17vhEKZJ71VLy7g= =/Qxe -----END PGP SIGNATURE-----