Debian Linux Security Advisory 2047-1 - A vulnerability was discovered in aria2, a download client. The "name" attribute of the "file" element of metalink files is not properly sanitised before using it to download files. If a user is tricked into downloading from a specially crafted metalink file, this can be exploited to download files to directories outside of the intended download directory.
e3b1543cd45fea6947a527b31032918885b57dbbf08f6cd7f41e24a617b76ae9