Ubuntu Security Notice 984-1 – It was discovered that LFTP incorrectly filtered filenames suggested by Content-Disposition headers. If a user or automated system were tricked into downloading a file from a malicious site, a remote attacker could create the file with an arbitrary name, such as a dotfile, and possibly run arbitrary code.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/93604/USN-984-1.txt
Source: https://packetstormsecurity.com/files/93604/Ubuntu-Security-Notice-984-1.html