Debian Linux Security Advisory 2085-1 – It was discovered that in lftp, a command-line HTTP/FTP client, there is no proper validation of the filename provided by the server through the Content-Disposition header; attackers can use this flaw by suggesting a filename they wish to overwrite on the client machine, and then possibly execute arbitrary code (for instance if the attacker elects to write a dotfile in a home directory).
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/92426/dsa-2085-1.txt
Source: https://packetstormsecurity.com/files/92426/Debian-Linux-Security-Advisory-2085-1.html